diff mbox series

[12/20] Squid: Prevent binaries within /var/ipfire/updatexlrator/bin/ from being owned by nobody

Message ID 4d993216-9803-346c-3f54-de35633d1205@ipfire.org
State Accepted
Commit 859100c5c0708ff9aed1da2802afb18540482a65
Headers
Series Prevent "nobody" from escalating privileges by using writeable binaries as a vehicle |

Commit Message

Peter Müller May 17, 2021, 7:05 p.m. UTC 
  Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
---
 lfs/squid | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
diff mbox series

Patch

diff --git a/lfs/squid b/lfs/squid
index 33cb95ba1..18cb30ef7 100644
--- a/lfs/squid
+++ b/lfs/squid
@@ -171,6 +171,7 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	ln -fs /bin/false /var/ipfire/updatexlrator/autocheck/cron.weekly
 
 	chown -R nobody:nobody /var/ipfire/updatexlrator
+	chown -R root:root /var/ipfire/updatexlrator/bin
 	chown nobody.squid /var/updatecache
 	chown nobody.squid /var/updatecache/download
 	chown nobody.squid /var/updatecache/metadata
@@ -186,7 +187,7 @@  $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown nobody.nobody /srv/web/ipfire/html/proxy.pac
 	ln -sf /srv/web/ipfire/html/proxy.pac /srv/web/ipfire/html/wpad.dat
 
-	#Copy stylesheets for the errorpages
+	# Copy stylesheets for the errorpages
 	cp -f $(DIR_SRC)/config/proxy/errorpage-ipfire.css /var/ipfire/proxy/
 	cp -f /etc/squid/errorpage.css /var/ipfire/proxy/errorpage-squid.css