Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug fixes #484

Merged
merged 4 commits into from
Jun 27, 2024
Merged

Bug fixes #484

merged 4 commits into from
Jun 27, 2024

Commits on Jun 26, 2024

  1. libnetplan: use more restrictive file permissions 

    A new util.c:_netplan_g_string_free_to_file_with_permissions() was added
and accepts the owner, group and file mode as arguments. When these
properties can't be set, when the generator is called by a non-root user
for example, it will not hard-fail. This function is called by unit
tests where we can't set the owner to a privileged account for example.

When generating backend files, use more restrictive permissions:

networkd related files will be owned by root:systemd-network and have
mode 0640.

service unit files will be owned by root:root and have mode 0640.
udevd files will be owned by root:root with mode 0640.

wpa_supplicant and Network Manager files will continue with the existing
permissions.

Autopkgtests will check if the permissions are set as expected when
calling the generator.

This fix addresses CVE-2022-4968
    @daniloegea
    daniloegea committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    ba21cfe View commit details
    Browse the repository at this point in the history

  2. libnetplan: escape control characters 

    Control characters are escaped in the parser using glib's g_strescape.
Quotes and backslashes were added to the list of exception.

In places where double quotes are not escaped, such as netdef IDs as it
is allowed as interface names, they are escaped as needed when
generating back end configuration.

To support escaping in wpa_supplicant configuration, the syntax for
setting the SSID was changed to 'ssid=P"string here"'. With that,
escaping is support in a printf-style.
    @daniloegea
    daniloegea committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    ee1703f View commit details
    Browse the repository at this point in the history

  3. backends: escape file paths 

    Escape strings used to build paths with g_uri_escape_string().
systemd_escape() could also be used but it has the downside of calling
an external program and, by default, it escapes dashes (which are
present in files generated from Network Manager for example).
    @daniloegea
    daniloegea committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    85f1a6c View commit details
    Browse the repository at this point in the history

  4. backends: escape semicolons in service units 

    Semicolons separated from other words by a combination of spaces and/or
tabs will be escaped.
    @daniloegea
    daniloegea committed Jun 26, 2024
    Configuration menu
    Copy the full SHA
    36010fa View commit details
    Browse the repository at this point in the history