diff options
| -rw-r--r-- | usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c | 24 | ||||
| -rw-r--r-- | usr/src/lib/libipsecutil/common/ipsec_util.h | 5 | ||||
| -rw-r--r-- | usr/src/pkgdefs/SUNWcnetr/postinstall | 14 | ||||
| -rw-r--r-- | usr/src/tools/scripts/bfu.sh | 15 |
4 files changed, 57 insertions, 1 deletions
diff --git a/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c b/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c index a8488b2884..99d3e5c572 100644 --- a/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c +++ b/usr/src/cmd/cmd-inet/usr.sbin/ipsecutils/ipseckey.c @@ -33,7 +33,6 @@ #pragma ident "%Z%%M% %I% %E% SMI" - #include <sys/types.h> #include <sys/stat.h> #include <sys/socket.h> @@ -3178,6 +3177,7 @@ main(int argc, char *argv[]) FILE *infile = stdin, *savefile; boolean_t dosave = B_FALSE, readfile = B_FALSE; char *configfile = NULL; + struct stat sbuf; (void) setlocale(LC_ALL, ""); #if !defined(TEXT_DOMAIN) @@ -3220,6 +3220,28 @@ main(int argc, char *argv[]) EXIT_BADCONFIG2("Unable to open configuration " "file: %s\n", optarg); } + /* + * Check file permissions/ownership and warn or + * fail depending on state of SMF control. + */ + if (fstat(fileno(infile), &sbuf) == -1) { + (void) fclose(infile); + EXIT_BADCONFIG2("Unable to stat configuration " + "file: %s\n", optarg); + } + if (INSECURE_PERMS(sbuf)) { + if (my_fmri != NULL) { + (void) fclose(infile); + EXIT_BADCONFIG2("Config file " + "%s has insecure permissions.", + optarg); + } else { + (void) fprintf(stderr, "%s %s\n", + optarg, gettext( + "has insecure permissions, will be " + "rejected in permanent config.")); + } + } configfile = strdup(optarg); readfile = B_TRUE; break; diff --git a/usr/src/lib/libipsecutil/common/ipsec_util.h b/usr/src/lib/libipsecutil/common/ipsec_util.h index a78831e678..e9995cc6f8 100644 --- a/usr/src/lib/libipsecutil/common/ipsec_util.h +++ b/usr/src/lib/libipsecutil/common/ipsec_util.h @@ -79,6 +79,11 @@ extern "C" { #define TBUF_SIZE 50 #define TIME_MAX LONG_MAX +#ifndef INSECURE_PERMS +#define INSECURE_PERMS(sbuf) (((sbuf).st_uid != 0) || \ + ((sbuf).st_mode & S_IRWXG) || ((sbuf).st_mode & S_IRWXO)) +#endif + /* For keyword-lookup tables */ typedef struct keywdtab { uint_t kw_tag; diff --git a/usr/src/pkgdefs/SUNWcnetr/postinstall b/usr/src/pkgdefs/SUNWcnetr/postinstall index 69276decd5..b01ea0b368 100644 --- a/usr/src/pkgdefs/SUNWcnetr/postinstall +++ b/usr/src/pkgdefs/SUNWcnetr/postinstall @@ -32,3 +32,17 @@ if [ -f $ORIG ]; then removef $PKGINST /etc/aggregation.conf > /dev/null removef -f $PKGINST > /dev/null 2>&1 fi + +# +# Change permissions of public IKE certificates and CRLs +# that may have been incorrectly created as private +# PKCS#11 hints files must be left root-only readable. +# Make sure this files starts with "30 82" +# +for file in `ls ${PKG_INSTALL_ROOT}/etc/inet/ike/crls/* \ + ${PKG_INSTALL_ROOT}/etc/inet/ike/publickeys/* 2>/dev/null`; do + if /bin/od -tx1 -N3 < $file | grep '30 82' >/dev/null 2>&1 + then + chmod 644 $file + fi +done diff --git a/usr/src/tools/scripts/bfu.sh b/usr/src/tools/scripts/bfu.sh index 724a0f052a..15c7ecefc9 100644 --- a/usr/src/tools/scripts/bfu.sh +++ b/usr/src/tools/scripts/bfu.sh @@ -7124,6 +7124,21 @@ mondo_loop() { fi echo + + # + # Change permissions of public IKE certificates and CRLs + # that may have been incorrectly created as private + # PKCS#11 hints files must be left root-only readable. + # Make sure this files starts with "30 82" + # + for file in `ls $rootprefix/etc/inet/ike/crls/* \ + $rootprefix/etc/inet/ike/publickeys/* 2>/dev/null`; do + if /bin/od -tx1 -N3 < $file | grep '30 82' >/dev/null 2>&1 + then + chmod 644 $file + fi + done + # Simulate installation of SUNWcry* - these are in the bfu archives. if [ -f $rootprefix/etc/crypto/kcf.conf -a \ -f $rootprefix/etc/crypto/pkcs11.conf ]; then |