From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Wed, 18 Jan 2023 14:00:22 -0500
Subject: [PATCH] Use normal file permissions instead of ACLs

Fixes a symlink attack that can't be mitigated using getfacl/setfacl.

pesign-authorize is now deprecated and will be removed in a future
release.

Resolves: CVE-2022-3560
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
---
 src/pesign-authorize.in | 50 +++----------------------------------------------
 1 file changed, 3 insertions(+), 47 deletions(-)

diff --git a/src/pesign-authorize.in b/src/pesign-authorize.in
index 69797d5..b4e89e0 100644
--- a/src/pesign-authorize.in
+++ b/src/pesign-authorize.in
@@ -2,56 +2,12 @@
 set -e
 set -u
 
-#
-# With /run/pesign/socket on tmpfs, a simple way of restoring the
-# acls for specific users is useful
-#
-#  Compare to: http://infrastructure.fedoraproject.org/cgit/ansible.git/tree/roles/bkernel/tasks/main.yml?id=17198dadebf59d8090b7ed621bc8ab22152d2eb6
-#
-
 # License: GPLv2
-declare -a fileusers=()
-declare -a dirusers=()
-while read -r user ; do
-	dirusers[${#dirusers[@]}]=-m
-	dirusers[${#dirusers[@]}]="u:$user:rwx"
-	fileusers[${#fileusers[@]}]=-m
-	fileusers[${#fileusers[@]}]="u:$user:rw"
-done </etc/pesign/users
 
-declare -a filegroups=()
-declare -a dirgroups=()
-while read -r group ; do
-	dirgroups[${#dirgroups[@]}]=-m
-	dirgroups[${#dirgroups[@]}]="g:$group:rwx"
-	filegroups[${#filegroups[@]}]=-m
-	filegroups[${#filegroups[@]}]="g:$group:rw"
-done </etc/pesign/groups
-
-update_subdir() {
-	subdir=$1 && shift
-
-	setfacl -bk "${subdir}"
-	setfacl "${dirusers[@]}" "${dirgroups[@]}" "${subdir}"
-	for x in "${subdir}"* ; do
-		if [ -d "${x}" ]; then
-			setfacl -bk "${x}"
-			setfacl "${dirusers[@]}" "${dirgroups[@]}" "${x}"
-			update_subdir "${x}/"
-		elif [ -e "${x}" ]; then
-			setfacl -bk "${x}"
-			setfacl "${fileusers[@]}" "${filegroups[@]}" "${x}"
-		else
-			:;
-		fi
-	done
-}
+# This script is deprecated and will be removed in a future release.
 
 sleep 3
 for x in @@RUNDIR@@pesign/ /etc/pki/pesign/ ; do
-	if [ -d "${x}" ]; then
-		update_subdir "${x}"
-	else
-		:;
-	fi
+	chown -R pesign:pesign "${x}" || true
+	chmod -R ug+rwX "${x}" || true
 done