Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 Jul 2019 14:47:15 +0000 (UTC)
From:      Rodrigo Osorio <rodrigo@FreeBSD.org>
To:        ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org
Subject:   svn commit: r507219 - in head/net/rtg: . files
Message-ID:  <201907231447.x6NElFH6085298@repo.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: rodrigo
Date: Tue Jul 23 14:47:15 2019
New Revision: 507219
URL: https://svnweb.freebsd.org/changeset/ports/507219

Log:
  Patch createdb script to avoid race condition / file tampering
  
  During the initialization net/rtg uses the /tmp/mysql.sql
  and /tmp/rtg.sql to store the SQL commands executed in the
  database with special user privileges.
  
  Using well known files can lead to a race condition between
  two process who uses the same file names and allow file
  tampering by a malicious user.
  
  This fix uses mktemp command to create temporary files
  in a safe way
  
  PR:		238262
  Submitted by:	rodrigo
  Approved by:	freebsd-ports@dan.me.uk (maintainer timeout)
  MFH:	2019Q3

Modified:
  head/net/rtg/Makefile
  head/net/rtg/files/patch-etc_createdb.in

Modified: head/net/rtg/Makefile
==============================================================================
--- head/net/rtg/Makefile	Tue Jul 23 14:45:46 2019	(r507218)
+++ head/net/rtg/Makefile	Tue Jul 23 14:47:15 2019	(r507219)
@@ -3,7 +3,7 @@
 
 PORTNAME=	rtg
 PORTVERSION=	0.7.4
-PORTREVISION=	18
+PORTREVISION=	19
 CATEGORIES=	net
 MASTER_SITES=	SF \
 		ftp://ftpmirror.uk/freebsd-ports/rtg/

Modified: head/net/rtg/files/patch-etc_createdb.in
==============================================================================
--- head/net/rtg/files/patch-etc_createdb.in	Tue Jul 23 14:45:46 2019	(r507218)
+++ head/net/rtg/files/patch-etc_createdb.in	Tue Jul 23 14:47:15 2019	(r507219)
@@ -1,20 +1,32 @@
---- etc/createdb.in.orig	2018-04-02 22:52:32 UTC
+--- etc/createdb.in.orig	2003-01-22 19:07:02 UTC
 +++ etc/createdb.in
-@@ -23,11 +23,8 @@ echo ""
+@@ -15,6 +15,8 @@
+ RTGPASS="rtgdefault"
+ DATABASE="rtg"
+ USER="snmp"
++MYSQL_FILE=`mktemp -q /tmp/mysql.XXXXXX`
++RTG_FILE=`mktemp -q /tmp/rtg.XXXXXX`
  
+ echo ""
+ echo "$0 setting up MySQL database for RTG."
+@@ -22,103 +24,98 @@
+ echo ""
+ 
  # Create the necessary SQL in two /tmp files
- cat <<EOT >/tmp/mysql.sql
+-cat <<EOT >/tmp/mysql.sql
 -INSERT INTO user (Host, User, Password) VALUES ('$HOST','$USER',PASSWORD("$RTGPASS"));
 -INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv, 
 -Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv, Alter_priv) 
 -VALUES ('$HOST','$DATABASE','$USER','Y','Y','Y','Y','Y','Y','Y','Y','Y','Y');
 -FLUSH PRIVILEGES;
++cat <<EOT >$MYSQL_FILE
 +CREATE USER '$USER'@'$HOST' IDENTIFIED BY '$RTG_PASS';
 +GRANT ALL ON '$DATABASE'.* TO '$USER'@'$HOST';
  EOT
  
- cat <<EOT >/tmp/rtg.sql
-@@ -35,81 +32,81 @@ cat <<EOT >/tmp/rtg.sql
+-cat <<EOT >/tmp/rtg.sql
++cat <<EOT >$RTG_FILE
+ #
  # Table structure for table 'router'
  #
  
@@ -135,12 +147,14 @@
  );
  EOT
  
-@@ -117,8 +114,6 @@ echo "Adding user \"$USER\" to MySQL dat
- cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql
+ echo "Adding user \"$USER\" to MySQL database..."
+-cat /tmp/mysql.sql | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql
++cat $MYSQL_FILE | $MYSQLBIN/mysql -u root -p$ROOTPASS mysql
  echo "Creating RTG database \"$DATABASE\"..."
  $MYSQLBIN/mysqladmin -u root -p$ROOTPASS create $DATABASE
 -echo "Reloading MySQL privileges..."
 -$MYSQLBIN/mysqladmin -u root -p$ROOTPASS flush-privileges
  echo "Creating RTG tables..."
- cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE
+-cat /tmp/rtg.sql | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE
++cat $RTG_FILE | $MYSQLBIN/mysql -u $USER -p$RTGPASS $DATABASE
  echo "Done."



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201907231447.x6NElFH6085298>