rel 5; mount /run as mode=0755,noexec,nosuid,nodev (security issue).

diff --git a/rc-scripts-git.patch b/rc-scripts-git.patch
index 4b9a2f3be9ebd9b78ebe8250427859b9daef2c88..c16153b3b7b3911922612eb1634d84bb60e2d607 100644 (file)
--- a/rc-scripts-git.patch
+++ b/rc-scripts-git.patch
@@ -30,3 +30,31 @@ index 8d018f7..f9538d2 100644
                pid=$(pidof -o $$ -o $PPID -o %PPID -x "$1")
        fi
  
+commit bf42a4fb7c71c31954499bf9cbce4548305afe80
+Author: Arkadiusz Miśkiewicz <arekm@maven.pl>
+Date:   Tue Jun 7 17:09:48 2016 +0200
+
+    Mount /run as mode=0755,noexec,nosuid,nodev.
+
+diff --git a/rc.d/rc.sysinit b/rc.d/rc.sysinit
+index f7f0eea..99bb078 100755
+--- a/rc.d/rc.sysinit
++++ b/rc.d/rc.sysinit
+@@ -409,7 +409,7 @@ if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then
+       parse_cmdline
+ 
+       if [ -d /run ]; then
+-              is_fsmounted tmpfs /run || mount -n -t tmpfs run /run
++              is_fsmounted tmpfs /run || mount -n -t tmpfs run /run -o mode=0755,noexec,nosuid,nodev
+       fi
+ 
+       # Early sysctls
+@@ -680,7 +680,7 @@ if ! is_yes "$VSERVER" && [[ "$container" != lxc* ]]; then
+               mount -f -t devtmpfs devtmpfs /dev 2> /dev/null
+       fi
+       if is_fsmounted tmpfs /run; then
+-              mount -f -t tmpfs run /run 2> /dev/null
++              mount -f -t tmpfs run /run -o mode=0755,noexec,nosuid,nodev 2> /dev/null
+       fi
+ 
+       if is_fsmounted usbfs /proc/bus/usb; then

diff --git a/rc-scripts.spec b/rc-scripts.spec
index 45dce34affa64ca824926809d099cb9509dec0c2..b1f6b86877548c35cbbdf887ad9013da6a4cc2e2 100644 (file)
--- a/rc-scripts.spec
+++ b/rc-scripts.spec
@@ -9,7 +9,7 @@ Summary(pl.UTF-8):      inittab i skrypty startowe z katalogu /etc/rc.d
 Summary(tr.UTF-8):     inittab ve /etc/rc.d dosyaları
 Name:          rc-scripts
 Version:       0.4.15
-Release:       4
+Release:       5
 License:       GPL v2
 Group:         Base
 #Source0:      ftp://distfiles.pld-linux.org/src/%{name}-%{version}.tar.gz