1. photon
  2. Commit 9b233d35eb7725f6bf4a9b8a55460e2ce437e81e
Browse code

[BUG-2856627] Some rubygem RPMs install group-writable files in /usr/lib

We have spotted that rubygem-ffi,
rubygem-fluent-plugin-kubernetes_metadata_filter, rubygem-kubeclient and
rubygem-lru_redux install group-writable files in /usr/lib. Since in
theory the users other than root may be part of that group, this
contradicts with STIG check PHTN-30-000049.

This commit addresses the issue by dropping the write flag (and
preserving all others).

Also updated specs to comply with new build requirements.

Change-Id: Ia593b9c1cc6a8abec6d651adb9ae17bc119320b4
Signed-off-by: Stanislav Hadjiiski <hadjiiskis@vmware.com>
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/14528
Tested-by: Michelle Wang <michellew@vmware.com>
Reviewed-by: Srinidhi Rao <srinidhir@vmware.com>

shadjiiski authored on 2021/10/15 01:10:19
Showing 4 changed files
SPECS/rubygem-ffi/rubygem-ffi.spec
History View file @ 9b233d3
... ... 
@@ -2,27 +2,34 @@
2 2 
 %global gemdir %(IFS=: R=($(gem env gempath)); echo ${R[${#R[@]}-1]})
3 3 
 %global gem_name ffi
4 4
5 
-Name: rubygem-ffi
5 
+Name:           rubygem-ffi
6 6 
 Version:        1.13.1
7 
-Release:        1%{?dist}
7 
+Release:        2%{?dist}
8 8 
 Summary:        Ruby FFI library
9 9 
 Group:          Development/Languages
10 
+Vendor:         VMware, Inc.
11 
+Distribution:   Photon
10 12 
 License:        BSD-2-Clause
11 13 
 URL:            https://rubygems.org/gems/%{gem_name}/versions/%{version}
12 14 
 Source0:        https://rubygems.org/downloads/ffi-%{version}.gem
13 15 
 %define sha1    ffi=cfa25e7a3760c3ec16723cb8263d9b7a52d0eadf
14 16 
 BuildRequires:  ruby > 2.1.0
17 
+BuildRequires:  gcc
18 
+BuildRequires:  libffi-devel
19 
+BuildRequires:  gmp-devel
20 
+BuildRequires:  findutils
15 21
16 22 
 %description
17 23 
 Ruby FFI library
18 24
19 25 
 %prep
20 
-%setup -q -c -T
26 
+%autosetup -n %{gem_name}-%{version}
21 27
22 28 
 %build
23 29
24 30 
 %install
25 31 
 gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{SOURCE0}
32 
+[ -d %{buildroot}/usr/lib ] && find %{buildroot}/usr/lib -type f -perm /022 -exec chmod go-w {} \;
26 33
27 34 
 %files
28 35 
 %defattr(-,root,root,-)
... ... 
@@ -30,6 +37,8 @@ gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{SOURCE0}
30 30 
 %exclude /usr/lib/ruby/gems/2.5.0/gems/ffi-1.9.25/ext/ffi_c/libffi-%{_arch}-linux/include/ffitarget.h
31 31
32 32 
 %changelog
33 
+*   Thu Oct 14 2021 Stanislav Hadjiiski <hadjiiskis@vmware.com> 1.13.1-2
34 
+-   Drop group write permissions for files in /usr/lib to comply with STIG
33 35 
 *   Thu Jul 16 2020 Gerrit Photon <photon-checkins@vmware.com> 1.13.1-1
34 36 
 -   Automatic Version Bump
35 37 
 *   Tue Sep 25 2018 Ajay Kaher <akaher@vmware.com> 1.9.25-3
SPECS/rubygem-fluent-plugin-kubernetes_metadata_filter/rubygem-fluent-plugin-kubernetes_metadata_filter.spec
History View file @ 9b233d3
... ... 
@@ -2,9 +2,9 @@
2 2 
 %global gemdir %(IFS=: R=($(gem env gempath)); echo ${R[${#R[@]}-1]})
3 3 
 %global gem_name fluent-plugin-kubernetes_metadata_filter
4 4
5 
-Name: rubygem-fluent-plugin-kubernetes_metadata_filter
5 
+Name:           rubygem-fluent-plugin-kubernetes_metadata_filter
6 6 
 Version:        2.5.2
7 
-Release:        2%{?dist}
7 
+Release:        3%{?dist}
8 8 
 Summary:        Fluentd Filter plugin to add Kubernetes metadata.
9 9 
 Group:          Development/Libraries
10 10 
 Vendor:         VMware, Inc.
... ... 
@@ -14,15 +14,14 @@ URL:            https://rubygems.org/gems/%{gem_name}/versions/%{version}
14 14 
 Source0:        https://rubygems.org/downloads/%{gem_name}-%{version}.gem
15 15 
 %define sha1    fluent-plugin-kubernetes_metadata_filter=6e8b3dff1b227a2c22ba2796ad1885ce1fa67a77
16 16 
 BuildRequires:  ruby >= 2.1
17 
-
18 
-Requires: rubygem-fluentd >= 0.14.0, rubygem-fluentd < 2.0.0
19 
-Requires: rubygem-kubeclient < 5.0
20 
-Requires: rubygem-lru_redux
21 
-BuildArch: noarch
17 
+BuildRequires:  findutils
18 
+Requires:       rubygem-fluentd >= 0.14.0, rubygem-fluentd < 2.0.0
19 
+Requires:       rubygem-kubeclient < 5.0
20 
+Requires:       rubygem-lru_redux
21 
+BuildArch:      noarch
22 22
23 23 
 %description
24 24 
 The Kubernetes metadata plugin filter enriches container log records with pod and namespace metadata.
25 
-
26 25 
 This plugin derives basic metadata about the container that emitted a given log record using the source
27 26 
 of the log record. Records from journald provide metadata about the container environment as named fields.
28 27 
 Records from JSON files encode metadata about the container in the file name. The initial metadata derived
... ... 
@@ -33,18 +32,21 @@ metadata. This behaviors supports multi-tenant systems that rely on the authenti
33 33 
 proper log isolation.
34 34
35 35 
 %prep
36 
-%setup -q -c -T
36 
+%autosetup -n %{gem_name}-%{version}
37 37
38 38 
 %build
39 39
40 40 
 %install
41 41 
 gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{SOURCE0}
42 
+[ -d %{buildroot}/usr/lib ] && find %{buildroot}/usr/lib -type f -perm /022 -exec chmod go-w {} \;
42 43
43 44 
 %files
44 45 
 %defattr(-,root,root,-)
45 46 
 %{gemdir}
46 47
47 48 
 %changelog
49 
+*   Thu Oct 14 2021 Stanislav Hadjiiski <hadjiiskis@vmware.com> 2.5.2-3
50 
+-   Drop group write permissions for files in /usr/lib to comply with STIG
48 51 
 *   Tue Sep 22 2020 Gerrit Photon <photon-checkins@vmware.com> 2.5.2-2
49 52 
 -   Update rubygem-kubeclient version
50 53 
 *   Thu Jul 16 2020 Gerrit Photon <photon-checkins@vmware.com> 2.5.2-1
SPECS/rubygem-kubeclient/rubygem-kubeclient.spec
History View file @ 9b233d3
... ... 
@@ -4,7 +4,7 @@
4 4
5 5 
 Name:           rubygem-kubeclient
6 6 
 Version:        4.9.1
7 
-Release:        1%{?dist}
7 
+Release:        2%{?dist}
8 8 
 Summary:        A client for Kubernetes REST api.
9 9 
 Group:          Development/Libraries
10 10 
 Vendor:         VMware, Inc.
... ... 
@@ -14,6 +14,7 @@ URL:            https://rubygems.org/gems/%{gem_name}/versions/%{version}
14 14 
 Source0:        https://rubygems.org/downloads/%{gem_name}-%{version}.gem
15 15 
 %define sha1    kubeclient=e31c1604d94bfd5a7112624965b71e7821692825
16 16 
 BuildRequires:  ruby >= 2.0.0
17 
+BuildRequires:  findutils
17 18 
 Requires:       rubygem-activesupport
18 19 
 Requires:       rubygem-http >= 3.0, rubygem-http < 5.0
19 20 
 Requires:       rubygem-recursive-open-struct > 1.1
... ... 
@@ -24,18 +25,21 @@ BuildArch:      noarch
24 24 
 A client for Kubernetes REST api.
25 25
26 26 
 %prep
27 
-%setup -q -c -T
27 
+%autosetup -n %{gem_name}-%{version}
28 28
29 29 
 %build
30 30
31 31 
 %install
32 32 
 gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{SOURCE0}
33 
+[ -d %{buildroot}/usr/lib ] && find %{buildroot}/usr/lib -type f -perm /022 -exec chmod go-w {} \;
33 34
34 35 
 %files
35 36 
 %defattr(-,root,root,-)
36 37 
 %{gemdir}
37 38
38 39 
 %changelog
40 
+*   Thu Oct 14 2021 Stanislav Hadjiiski <hadjiiskis@vmware.com> 4.9.1-2
41 
+-   Drop group write permissions for files in /usr/lib to comply with STIG
39 42 
 *   Mon Sep 21 2020 Gerrit Photon <photon-checkins@vmware.com> 4.9.1-1
40 43 
 -   Automatic Version Bump
41 44 
 *   Wed Sep 02 2020 Sujay G <gsujay@vmware.com> 1.1.4-2
SPECS/rubygem-lru_redux/rubygem-lru_redux.spec
History View file @ 9b233d3
... ... 
@@ -2,9 +2,9 @@
2 2 
 %global gemdir %(IFS=: R=($(gem env gempath)); echo ${R[${#R[@]}-1]})
3 3 
 %global gem_name lru_redux
4 4
5 
-Name: rubygem-lru_redux
5 
+Name:           rubygem-lru_redux
6 6 
 Version:        1.1.0
7 
-Release:        2%{?dist}
7 
+Release:        3%{?dist}
8 8 
 Summary:        An efficient, thread safe implementation of an LRU cache.
9 9 
 Group:          Development/Libraries
10 10 
 Vendor:         VMware, Inc.
... ... 
@@ -14,25 +14,28 @@ URL:            https://rubygems.org/gems/%{gem_name}/versions/%{version}
14 14 
 Source0:        https://rubygems.org/downloads/%{gem_name}-%{version}.gem
15 15 
 %define sha1    lru_redux=7767aae39ca4e93beed18979845c490685655790
16 16 
 BuildRequires:  ruby >= 1.9.3
17 
-
18 
-BuildArch: noarch
17 
+BuildRequires:  findutils
18 
+BuildArch:      noarch
19 19
20 20 
 %description
21 21 
 An efficient, thread safe implementation of an LRU cache.
22 22
23 23 
 %prep
24 
-%setup -q -c -T
24 
+%autosetup -n %{gem_name}-%{version}
25 25
26 26 
 %build
27 27
28 28 
 %install
29 29 
 gem install -V --local --force --install-dir %{buildroot}/%{gemdir} %{SOURCE0}
30 
+[ -d %{buildroot}/usr/lib ] && find %{buildroot}/usr/lib -type f -perm /022 -exec chmod go-w {} \;
30 31
31 32 
 %files
32 33 
 %defattr(-,root,root,-)
33 34 
 %{gemdir}
34 35
35 36 
 %changelog
37 
+*   Thu Oct 14 2021 Stanislav Hadjiiski <hadjiiskis@vmware.com> 1.1.0-3
38 
+-   Drop group write permissions for files in /usr/lib to comply with STIG
36 39 
 *   Wed Sep 02 2020 Sujay G <gsujay@vmware.com> 1.1.0-2
37 40 
 -   Rebuilt using ruby-2.7.1
38 41 
 *   Thu Aug 22 2019 Stanislav Hadjiiski <hadjiiskis@vmware.com> 1.1.0-1