[bacula/f16] Make dump_resource respect console ACL's (#857957)
Lukáš Nykrýn
lnykryn at fedoraproject.org
Tue Sep 18 13:30:51 UTC 2012
commit 65bf3cbeb1c46f0a6f62787e37b08e2a4aaa39da
Author: Lukas Nykryn <lnykryn at redhat.com>
Date: Tue Sep 18 10:43:37 2012 +0200
Make dump_resource respect console ACL's (#857957)
bacula-5.0.3-acl.patch | 111 ++++++++++++++++++++++++++++++++++++++++++++++++
bacula.spec | 8 +++-
2 files changed, 118 insertions(+), 1 deletions(-)
---
diff --git a/bacula-5.0.3-acl.patch b/bacula-5.0.3-acl.patch
new file mode 100644
index 0000000..1d67bd3
--- /dev/null
+++ b/bacula-5.0.3-acl.patch
@@ -0,0 +1,111 @@
+diff --git a/bacula-5.0.3/src/dird/dird_conf.c b/bacula-5.0.3/src/dird/dird_conf.c
+index a822898..4c411d1 100644
+--- a/bacula-5.0.3/src/dird/dird_conf.c
++++ b/bacula-5.0.3/src/dird/dird_conf.c
+@@ -552,6 +552,7 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ bool recurse = true;
+ char ed1[100], ed2[100], ed3[100];
+ DEVICE *dev;
++ UAContext *ua = (UAContext *)sock;
+
+ if (res == NULL) {
+ sendit(sock, _("No %s resource defined\n"), res_to_str(type));
+@@ -597,6 +598,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ break;
+
+ case R_CLIENT:
++ if (!acl_access_ok(ua, Client_ACL, res->res_client.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("Client: name=%s address=%s FDport=%d MaxJobs=%u\n"),
+ res->res_client.hdr.name, res->res_client.address, res->res_client.FDport,
+ res->res_client.MaxConcurrentJobs);
+@@ -624,6 +628,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ break;
+
+ case R_STORAGE:
++ if (!acl_access_ok(ua, Storage_ACL, res->res_store.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("Storage: name=%s address=%s SDport=%d MaxJobs=%u\n"
+ " DeviceName=%s MediaType=%s StorageId=%s\n"),
+ res->res_store.hdr.name, res->res_store.address, res->res_store.SDport,
+@@ -634,6 +641,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ break;
+
+ case R_CATALOG:
++ if (!acl_access_ok(ua, Catalog_ACL, res->res_cat.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("Catalog: name=%s address=%s DBport=%d db_name=%s\n"
+ " db_driver=%s db_user=%s MutliDBConn=%d\n"),
+ res->res_cat.hdr.name, NPRT(res->res_cat.db_address),
+@@ -644,6 +654,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+
+ case R_JOB:
+ case R_JOBDEFS:
++ if (!acl_access_ok(ua, Job_ACL, res->res_job.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("%s: name=%s JobType=%d level=%s Priority=%d Enabled=%d\n"),
+ type == R_JOB ? _("Job") : _("JobDefs"),
+ res->res_job.hdr.name, res->res_job.JobType,
+@@ -762,6 +775,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ case R_FILESET:
+ {
+ int i, j, k;
++ if (!acl_access_ok(ua, FileSet_ACL, res->res_fs.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("FileSet: name=%s\n"), res->res_fs.hdr.name);
+ for (i=0; i<res->res_fs.num_includes; i++) {
+ INCEXE *incexe = res->res_fs.include_items[i];
+@@ -849,6 +865,9 @@ void dump_resource(int type, RES *reshdr, void sendit(void *sock, const char *fm
+ }
+
+ case R_SCHEDULE:
++ if (!acl_access_ok(ua, Schedule_ACL, res->res_sch.hdr.name)) {
++ break;
++ }
+ if (res->res_sch.run) {
+ int i;
+ RUN *run = res->res_sch.run;
+@@ -937,6 +956,9 @@ next_run:
+ break;
+
+ case R_POOL:
++ if (!acl_access_ok(ua, Pool_ACL, res->res_pool.hdr.name)) {
++ break;
++ }
+ sendit(sock, _("Pool: name=%s PoolType=%s\n"), res->res_pool.hdr.name,
+ res->res_pool.pool_type);
+ sendit(sock, _(" use_cat=%d use_once=%d cat_files=%d\n"),
+diff --git a/bacula-5.0.3/src/tools/Makefile.in b/bacula-5.0.3/src/tools/Makefile.in
+index 6b40443..10f9fe1 100644
+--- a/bacula-5.0.3/src/tools/Makefile.in
++++ b/bacula-5.0.3/src/tools/Makefile.in
+@@ -27,12 +27,12 @@ dummy:
+
+ GETTEXT_LIBS = @LIBINTL@
+
+-FINDOBJS = testfind.o ../dird/dird_conf.o ../dird/inc_conf.o ../dird/run_conf.o
++FINDOBJS = testfind.o ../dird/dird_conf.o ../dird/inc_conf.o ../dird/ua_acl.o ../dird/run_conf.o
+
+ # these are the objects that are changed by the .configure process
+ EXTRAOBJS = @OBJLIST@
+
+-DIRCONFOBJS = ../dird/dird_conf.o ../dird/run_conf.o ../dird/inc_conf.o
++DIRCONFOBJS = ../dird/dird_conf.o ../dird/ua_acl.o ../dird/run_conf.o ../dird/inc_conf.o
+
+ NODIRTOOLS = bsmtp
+ DIRTOOLS = bsmtp dbcheck drivetype fstype testfind testls bregex bwild bbatch bregtest bvfs_test ing_test
+@@ -77,6 +77,9 @@ drivetype: Makefile drivetype.o ../lib/libbac$(DEFAULT_ARCHIVE_TYPE) ../findlib/
+ dird_conf.o: ../dird/dird_conf.c
+ $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $<
+
++ua_acl.o: ../dird/ua_acl.c
++ $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $<
++
+ run_conf.o: ../dird/run_conf.c
+ $(CXX) $(DEFS) $(DEBUG) -c $(CPPFLAGS) $(PYTHON_INC) -I$(srcdir) -I$(basedir) $(DINCLUDE) $(CFLAGS) $<
+
diff --git a/bacula.spec b/bacula.spec
index dfe6ade..5026f0b 100644
--- a/bacula.spec
+++ b/bacula.spec
@@ -3,7 +3,7 @@
Name: bacula
Version: 5.0.3
-Release: 32%{?dist}
+Release: 33%{?dist}
Summary: Cross platform network backup for Linux, Unix, Mac and Windows
# See LICENSE for details
License: AGPLv3 with exceptions
@@ -41,6 +41,7 @@ Patch8: bacula-5.0.3-sqlite-priv.patch
Patch9: bacula-5.0.3-tray-dir.patch
Patch10: bacula-5.0.3-mysql55.patch
Patch11: bacula-5.0.3-maxvalue.patch
+Patch12: bacula-5.0.3-acl.patch
BuildRequires: openssl-devel, ncurses-devel, perl, glibc-devel
BuildRequires: libstdc++-devel, libxml2-devel, zlib-devel
@@ -427,6 +428,7 @@ pushd bacula-%{version}
%patch9 -p2 -b .tray-dir
%patch10 -p0 -b .mysql55
%patch11 -p1 -b .maxvalue
+%patch12 -p2 -b .acl
# Remove execution permissions from files we're packaging as docs later on
find updatedb -type f | xargs chmod -x
@@ -1258,6 +1260,10 @@ fi
%changelog
+* Tue Sep 18 2012 Lukáš Nykrýn <lnykryn at redhat.com> - 5.0.3-33
+- Make dump_resource respect console ACL's (#857957)
+- CVE-2012-4430
+
* Mon Jul 23 2012 Simone Caronni <negativo17 at gmail.com> 5.0.3-32
- Updated sysconfig files.
More information about the scm-commits
mailing list