diff options
author | Michael Orlitzky <mjo@gentoo.org> | 2017-11-02 13:08:14 -0400 |
---|---|---|
committer | Michael Orlitzky <mjo@gentoo.org> | 2017-11-04 19:37:20 -0400 |
commit | 184ae2c637ba60cd8f65d33c9098a2f4a079b4dc (patch) | |
tree | 0fb6652493df8fad58409b7a4c9e950e7e553c3a /net-analyzer | |
parent | net-analyzer/pnp4nagios: new revision to fix nagios/icinga "or" dependency. (diff) | |
download | gentoo-184ae2c637ba60cd8f65d33c9098a2f4a079b4dc.tar.gz gentoo-184ae2c637ba60cd8f65d33c9098a2f4a079b4dc.tar.bz2 gentoo-184ae2c637ba60cd8f65d33c9098a2f4a079b4dc.zip |
net-analyzer/pnp4nagios: new revision with a better fix for CVE-2012-3457.
In CVE-2012-3457, it was reported that one particular file should not
be world-readable. To fix that, our ebuild made all of /etc/pnp
unreadable; that made other permissions issues difficult to work
around. This r2 sets o-rwx only on /etc/pnp/process_perfdata.cfg.
Bug: https://bugs.gentoo.org/430358
Package-Manager: Portage-2.3.8, Repoman-2.3.3
Diffstat (limited to 'net-analyzer')
-rw-r--r-- | net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild (renamed from net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild) | 21 |
1 files changed, 7 insertions, 14 deletions
diff --git a/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild b/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild index c15a8c98de6f..818bc3104ffe 100644 --- a/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r1.ebuild +++ b/net-analyzer/pnp4nagios/pnp4nagios-0.6.26-r2.ebuild @@ -74,25 +74,18 @@ src_install() { rm "${ED%/}/usr/share/pnp/install.php" || \ die "unable to remove ${ED%/}/usr/share/pnp/install.php" + # Fix CVE-2012-3457 (Gentoo bug 430358) + fperms o-rwx /etc/pnp/process_perfdata.cfg + if use apache2 ; then insinto "${APACHE_MODULES_CONFDIR}" newins "${FILESDIR}"/98_pnp4nagios-2.4.conf 98_pnp4nagios.conf - # Allow the apache user to read our config files. This same - # approach is used in net-analyzer/nagios-core. - chgrp -R apache "${ED%/}/etc/pnp" \ - || die "failed to change group of ${ED%/}/etc/pnp" + # This one file isn't world-readable, but it should be group- + # readable. Give it to the "apache" group to let the web + # server read it. + fowners :apache /etc/pnp/process_perfdata.cfg fi - - # Bug 430358 - CVE-2012-3457 - local f - while IFS="" read -d $'\0' -r f ; do - chmod 0640 "${f}" || die - done < <(find "${ED%/}/etc/pnp" -type f) - - while IFS="" read -d $'\0' -r f ; do - chmod 0750 "${f}" || die - done < <(find "${ED%/}/etc/pnp" -type d) } pkg_postinst() { |