Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fixes #484

Merged
merged 4 commits into from
Jun 27, 2024
Merged

Bug fixes #484

merged 4 commits into from
Jun 27, 2024

Conversation

daniloegea
Copy link
Collaborator

@daniloegea daniloegea commented Jun 26, 2024
edited by slyon
Loading

Description

These are the fixes recently publish as part of https://launchpad.net/ubuntu/+source/netplan.io/1.0-2ubuntu1.1

Checklist

  • Runs make check successfully.
  • Retains 100% code coverage (make check-coverage).
  • New/changed keys in YAML format are documented.
  • (Optional) Adds example YAML for new feature.
  • (Optional) Closes an open bug in Launchpad.

@daniloegea
libnetplan: use more restrictive file permissions
ba21cfe 
A new util.c:_netplan_g_string_free_to_file_with_permissions() was added
and accepts the owner, group and file mode as arguments. When these
properties can't be set, when the generator is called by a non-root user
for example, it will not hard-fail. This function is called by unit
tests where we can't set the owner to a privileged account for example.

When generating backend files, use more restrictive permissions:

networkd related files will be owned by root:systemd-network and have
mode 0640.

service unit files will be owned by root:root and have mode 0640.
udevd files will be owned by root:root with mode 0640.

wpa_supplicant and Network Manager files will continue with the existing
permissions.

Autopkgtests will check if the permissions are set as expected when
calling the generator.

This fix addresses CVE-2022-4968
@daniloegea
libnetplan: escape control characters
ee1703f 
Control characters are escaped in the parser using glib's g_strescape.
Quotes and backslashes were added to the list of exception.

In places where double quotes are not escaped, such as netdef IDs as it
is allowed as interface names, they are escaped as needed when
generating back end configuration.

To support escaping in wpa_supplicant configuration, the syntax for
setting the SSID was changed to 'ssid=P"string here"'. With that,
escaping is support in a printf-style.
@daniloegea
backends: escape file paths
85f1a6c 
Escape strings used to build paths with g_uri_escape_string().
systemd_escape() could also be used but it has the downside of calling
an external program and, by default, it escapes dashes (which are
present in files generated from Network Manager for example).
@daniloegea
backends: escape semicolons in service units
36010fa 
Semicolons separated from other words by a combination of spaces and/or
tabs will be escaped.
@daniloegea daniloegea marked this pull request as ready for review June 26, 2024 16:59
@daniloegea daniloegea requested a review from slyon June 26, 2024 16:59
slyon
slyon approved these changes Jun 27, 2024
View reviewed changes
Copy link
Collaborator

@slyon slyon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, LGTM!

It matches the embargoed branch that I've had reviewed earlier (ignoring patch fuzz, due to rebase).

@slyon slyon merged commit 316b9b7 into canonical:main Jun 27, 2024
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@slyon slyon slyon approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@daniloegea @slyon