From 91c802ff526a0aa0618f6d5c282a9b9b8e41bff8 Mon Sep 17 00:00:00 2001 From: Tao Liu Date: Thu, 18 Mar 2021 16:52:46 +0800 Subject: [PATCH] Fix incorrect permissions on kdump dmesg file Also known as CVE-2021-20269. The kdump dmesg log files(kexec-dmesg.log, vmcore-dmesg.txt) are generated by shell redirection, which take the default umask value, making the files readable for group and others. This patch chmod these files, making them only accessible to owner. Signed-off-by: Tao Liu Acked-by: Kairui Song --- dracut-module-setup.sh | 1 + kdump-lib-initramfs.sh | 2 ++ 2 files changed, 3 insertions(+) diff --git a/dracut-module-setup.sh b/dracut-module-setup.sh index 21143b4..8316589 100755 --- a/dracut-module-setup.sh +++ b/dracut-module-setup.sh @@ -849,6 +849,7 @@ install() { inst "/sbin/vmcore-dmesg" "/sbin/vmcore-dmesg" inst "/usr/bin/printf" "/sbin/printf" inst "/usr/bin/logger" "/sbin/logger" + inst "/usr/bin/chmod" "/sbin/chmod" inst "/lib/kdump/kdump-lib.sh" "/lib/kdump-lib.sh" inst "/lib/kdump/kdump-lib-initramfs.sh" "/lib/kdump-lib-initramfs.sh" inst "/lib/kdump/kdump-logger.sh" "/lib/kdump-logger.sh" diff --git a/kdump-lib-initramfs.sh b/kdump-lib-initramfs.sh index 86065be..5cb0223 100755 --- a/kdump-lib-initramfs.sh +++ b/kdump-lib-initramfs.sh @@ -111,6 +111,7 @@ save_log() if command -v journalctl > /dev/null; then journalctl -ab >> $KDUMP_LOG_FILE fi + chmod 600 $KDUMP_LOG_FILE } # dump_fs @@ -178,6 +179,7 @@ save_vmcore_dmesg_fs() { _exitcode=$? if [ $_exitcode -eq 0 ]; then mv ${_path}/vmcore-dmesg-incomplete.txt ${_path}/vmcore-dmesg.txt + chmod 600 ${_path}/vmcore-dmesg.txt # Make sure file is on disk. There have been instances where later # saving vmcore failed and system rebooted without sync and there