Merge pull request from GHSA-3pqh-p72c-fj85

Address VULN-11642
cloudflare · Nov 18, 2021 · 606084d · 606084d
2 parents 488a334 + 9c7bc2a
commit 606084d
Show file tree

Hide file tree

Showing 6 changed files with 38 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -45,6 +45,8 @@ docker-octorpki:
 package-deb-octorpki: prepare
 	fpm -s dir -t deb -n $(OCTORPKI_NAME) -v $(VERSION_PKG) \
         --description "$(DESCRIPTION)"  \
+        --after-install package/after-install-octorpki.sh \
+        --before-remove package/before-remove-octoprki.sh \
         --url "$(URL)" \
         --architecture $(ARCH) \
         --license "$(LICENSE)" \
@@ -61,6 +63,8 @@ package-deb-octorpki: prepare
 package-rpm-octorpki: prepare
 	fpm -s dir -t rpm -n $(OCTORPKI_NAME) -v $(VERSION_PKG) \
         --description "$(DESCRIPTION)" \
+        --after-install package/after-install-octorpki.sh \
+        --before-remove package/before-remove-octoprki.sh \
         --url "$(URL)" \
         --architecture $(ARCH) \
         --license "$(LICENSE) "\

diff --git a/cmd/octorpki/octorpki.go b/cmd/octorpki/octorpki.go
@@ -47,6 +47,7 @@ var (
 	version    = ""
 	buildinfos = ""
 	AppVersion = "OctoRPKI " + version + " " + buildinfos
+	AllowRoot  = flag.Bool("allow.root", false, "Allow starting as root")
 
 	// Validator Options
 	RootTAL       = flag.String("tal.root", "tals/afrinic.tal,tals/apnic.tal,tals/arin.tal,tals/lacnic.tal,tals/ripe.tal", "List of TAL separated by comma")
@@ -1134,6 +1135,9 @@ func (s *state) Serve(addr string, path string, metricsPath string, infoPath str
 }
 
 func init() {
+	if !*AllowRoot && runningAsRoot() {
+		panic("Running as root is not allowed by default")
+	}
 
 	prometheus.MustRegister(MetricSIACounts)
 	prometheus.MustRegister(MetricRsyncErrors)
@@ -1147,6 +1151,10 @@ func init() {
 	prometheus.MustRegister(MetricLastFetch)
 }
 
+func runningAsRoot() bool {
+	return os.Geteuid() == 0 || os.Getegid() == 0
+}
+
 func main() {
 	runtime.GOMAXPROCS(runtime.NumCPU())
 

diff --git a/package/after-install-octorpki.sh b/package/after-install-octorpki.sh
@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -x
+
+addgroup --system octorpki
+adduser --system --home /var/lib/octorpki --shell /usr/sbin/nologin --disable-login --group octorpki
+
+systemctl daemon-reload
+systemctl enable octorpki.service
+systemctl start octorpki
+
+exit 0
diff --git a/package/before-remove-octorpki.sh b/package/before-remove-octorpki.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -x
+
+systemctl stop octorpki
+systemctl disable octorpki
+
+deluser octorpki
+delgroup octorpki
+
+exit 0
diff --git a/package/octorpki.service b/package/octorpki.service
@@ -7,6 +7,8 @@ Type=simple
 EnvironmentFile=/etc/default/octorpki
 WorkingDirectory=/usr/share/octorpki
 ExecStart=/usr/bin/octorpki $OCTORPKI_ARGS
+User=octorpki
+Group=octorpki
 
 [Install]
 WantedBy=multi-user.target
diff --git a/sync/lib/rsync.go b/sync/lib/rsync.go
@@ -70,7 +70,7 @@ func (s *RsyncSystem) RunRsync(ctx context.Context, uri string, bin string, dirP
 		return nil, err
 	}
 
-	cmd := exec.CommandContext(ctx, bin, "-var", uri, dirPath)
+	cmd := exec.CommandContext(ctx, bin, "-vrlt", uri, dirPath)
 	if s.Log != nil {
 		s.Log.Debugf("Command ran: %v", cmd)
 	}