aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--community/open-vm-tools/APKBUILD14
-rw-r--r--community/open-vm-tools/open-vm-tools.post-upgrade3
2 files changed, 17 insertions, 0 deletions
diff --git a/community/open-vm-tools/APKBUILD b/community/open-vm-tools/APKBUILD
index 8f4ad49e08..accc21678a 100644
--- a/community/open-vm-tools/APKBUILD
+++ b/community/open-vm-tools/APKBUILD
@@ -56,6 +56,7 @@ makedepends="
rpcgen
xmlsec-dev
"
+pkggroups="vmware"
source="$pkgname-$pkgver.tar.gz::https://github.com/vmware/open-vm-tools/archive/stable-$_ver.tar.gz
0001-lib-misc-Recognize-Alpine-Linux.patch
0002-open-vm-tools-Add-disable-werror-configure-option.patch
@@ -128,6 +129,7 @@ check() {
package() {
local confdir="$pkgdir/etc/vmware-tools"
local sharedir="$pkgdir/usr/share/$pkgname"
+ local i
make -C open-vm-tools install DESTDIR="$pkgdir"
@@ -155,6 +157,18 @@ package() {
# TODO: Write network script for Alpine.
rm -f "$confdir"/scripts/vmware/network
+ # These commands allow to modify some VM's parameters or write to VM's
+ # logs which is typically undesirable to be allowed to any user or
+ # process. Of course, this cannot prevent users from copying and
+ # running their own open-vm-tools binaries, but better than nothing...
+ # See also https://github.com/vmware/open-vm-tools/issues/288.
+ for i in vmtoolsd vmware-namespace-cmd vmware-rpctool \
+ vmware-toolbox-cmd vmware-xferlogs;
+ do
+ chgrp vmware ./usr/bin/$i
+ chmod 750 ./usr/bin/$i
+ done
+
install -D -m 755 "$srcdir"/$pkgname.initd ./etc/init.d/$pkgname
install -D -m 644 "$srcdir"/$pkgname.confd ./etc/conf.d/$pkgname
install -D -m 644 "$srcdir"/$pkgname.logrotate ./etc/logrotate.d/$pkgname
diff --git a/community/open-vm-tools/open-vm-tools.post-upgrade b/community/open-vm-tools/open-vm-tools.post-upgrade
index 0fac964037..ca620c591b 100644
--- a/community/open-vm-tools/open-vm-tools.post-upgrade
+++ b/community/open-vm-tools/open-vm-tools.post-upgrade
@@ -11,6 +11,9 @@ if [ "$(apk version -t "$ver_old" "11.0.5-r1")" = "<" ]; then
* of them, run: apk add open-vm-tools-plugins-all.
*
* Log files produced by open-vm-tools were moved to /var/log/vmware/.
+ *
+ * vmtoolsd and vmware-* utilities are not executable for all users anymore
+ * (for security reasons), only for root and members of group vmware.
*
EOF
fi
generated by cgit v1.2.3 (git 2.25.1) at 2025-06-23 09:52:36 +0000