diff options
| author | Jakub Jirutka <jakub@jirutka.cz> | 2020-03-08 13:05:18 +0100 |
|---|---|---|
| committer | Jakub Jirutka <jakub@jirutka.cz> | 2020-03-08 20:36:41 +0100 |
| commit | cc6813e8549a87ccefe58940db59149d7636ebc1 (patch) | |
| tree | fc7958922d24ffad59f6d12f54c8a79bd3a0f578 /community/open-vm-tools | |
| parent | 9f3f0c368133f60cc5bf98f906bcafe102e76fad (diff) | |
| download | aports-cc6813e8549a87ccefe58940db59149d7636ebc1.tar.bz2 aports-cc6813e8549a87ccefe58940db59149d7636ebc1.tar.xz | |
community/open-vm-tools: allow only u:root/g:vmware run vmware-* commands
Diffstat (limited to 'community/open-vm-tools')
| -rw-r--r-- | community/open-vm-tools/APKBUILD | 14 | ||||
| -rw-r--r-- | community/open-vm-tools/open-vm-tools.post-upgrade | 3 |
2 files changed, 17 insertions, 0 deletions
diff --git a/community/open-vm-tools/APKBUILD b/community/open-vm-tools/APKBUILD index 8f4ad49e08..accc21678a 100644 --- a/community/open-vm-tools/APKBUILD +++ b/community/open-vm-tools/APKBUILD @@ -56,6 +56,7 @@ makedepends=" rpcgen xmlsec-dev " +pkggroups="vmware" source="$pkgname-$pkgver.tar.gz::https://github.com/vmware/open-vm-tools/archive/stable-$_ver.tar.gz 0001-lib-misc-Recognize-Alpine-Linux.patch 0002-open-vm-tools-Add-disable-werror-configure-option.patch @@ -128,6 +129,7 @@ check() { package() { local confdir="$pkgdir/etc/vmware-tools" local sharedir="$pkgdir/usr/share/$pkgname" + local i make -C open-vm-tools install DESTDIR="$pkgdir" @@ -155,6 +157,18 @@ package() { # TODO: Write network script for Alpine. rm -f "$confdir"/scripts/vmware/network + # These commands allow to modify some VM's parameters or write to VM's + # logs which is typically undesirable to be allowed to any user or + # process. Of course, this cannot prevent users from copying and + # running their own open-vm-tools binaries, but better than nothing... + # See also https://github.com/vmware/open-vm-tools/issues/288. + for i in vmtoolsd vmware-namespace-cmd vmware-rpctool \ + vmware-toolbox-cmd vmware-xferlogs; + do + chgrp vmware ./usr/bin/$i + chmod 750 ./usr/bin/$i + done + install -D -m 755 "$srcdir"/$pkgname.initd ./etc/init.d/$pkgname install -D -m 644 "$srcdir"/$pkgname.confd ./etc/conf.d/$pkgname install -D -m 644 "$srcdir"/$pkgname.logrotate ./etc/logrotate.d/$pkgname diff --git a/community/open-vm-tools/open-vm-tools.post-upgrade b/community/open-vm-tools/open-vm-tools.post-upgrade index 0fac964037..ca620c591b 100644 --- a/community/open-vm-tools/open-vm-tools.post-upgrade +++ b/community/open-vm-tools/open-vm-tools.post-upgrade @@ -11,6 +11,9 @@ if [ "$(apk version -t "$ver_old" "11.0.5-r1")" = "<" ]; then * of them, run: apk add open-vm-tools-plugins-all. * * Log files produced by open-vm-tools were moved to /var/log/vmware/. + * + * vmtoolsd and vmware-* utilities are not executable for all users anymore + * (for security reasons), only for root and members of group vmware. * EOF fi |