generated from sig_core/wiki-template
Deployed 5556b38
with MkDocs version: 1.5.3
This commit is contained in:
parent
fb2659435f
commit
1b3be8b095
@ -503,7 +503,16 @@
|
||||
</span>
|
||||
</a>
|
||||
|
||||
<nav class="md-nav" aria-label="Usage in Rocky Linux">
|
||||
</li>
|
||||
|
||||
<li class="md-nav__item">
|
||||
<a href="#sub-packages" class="md-nav__link">
|
||||
<span class="md-ellipsis">
|
||||
Sub-packages
|
||||
</span>
|
||||
</a>
|
||||
|
||||
<nav class="md-nav" aria-label="Sub-packages">
|
||||
<ul class="md-nav__list">
|
||||
|
||||
<li class="md-nav__item">
|
||||
@ -516,9 +525,18 @@
|
||||
</li>
|
||||
|
||||
<li class="md-nav__item">
|
||||
<a href="#control-shadow" class="md-nav__link">
|
||||
<a href="#control-shadow-utils" class="md-nav__link">
|
||||
<span class="md-ellipsis">
|
||||
control-shadow
|
||||
control-shadow-utils
|
||||
</span>
|
||||
</a>
|
||||
|
||||
</li>
|
||||
|
||||
<li class="md-nav__item">
|
||||
<a href="#control-util-linux" class="md-nav__link">
|
||||
<span class="md-ellipsis">
|
||||
control-util-linux
|
||||
</span>
|
||||
</a>
|
||||
|
||||
@ -527,6 +545,15 @@
|
||||
</ul>
|
||||
</nav>
|
||||
|
||||
</li>
|
||||
|
||||
<li class="md-nav__item">
|
||||
<a href="#change-log" class="md-nav__link">
|
||||
<span class="md-ellipsis">
|
||||
Change log
|
||||
</span>
|
||||
</a>
|
||||
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
@ -702,27 +729,55 @@
|
||||
<h1 id="extra-package-control">Extra package: control<a class="headerlink" href="#extra-package-control" title="Permanent link">¶</a></h1>
|
||||
<h2 id="el9">EL9<a class="headerlink" href="#el9" title="Permanent link">¶</a></h2>
|
||||
<ul>
|
||||
<li>Version <code>0.8.0-2.el9_3.security</code></li>
|
||||
<li>Version <code>0.8.0-4.el9_3.security</code></li>
|
||||
</ul>
|
||||
<h3 id="package-summary">Package summary<a class="headerlink" href="#package-summary" title="Permanent link">¶</a></h3>
|
||||
<p><code>control</code> provides a common interface to register and control (what it calls) system facilities.
|
||||
This is intended primarily for facilities that can potentially be dangerous to system security, to let you enable, disable, or configure each facility.
|
||||
A typical facility is a SUID/SGID/setcap program or a configuration setting of a service.</p>
|
||||
A typical facility is a configuration setting of a service or a SUID/SGID/setcap program, or a closely related group of such settings and/or programs that are managed together.
|
||||
We manage permissions on SUID/SGID/setcap programs because those programs pose risk to system security in case of vulnerabilities in them or in library code they use.</p>
|
||||
<p><code>control</code> originates in Owl and is actively maintained in ALT Linux.</p>
|
||||
<h3 id="usage-in-rocky-linux">Usage in Rocky Linux<a class="headerlink" href="#usage-in-rocky-linux" title="Permanent link">¶</a></h3>
|
||||
<p>While the original <code>control</code> package in Owl and ALT Linux merely provides the common interface mentioned above for other packages to register their facilities with (and many packages in those distros do), it's been adapted in Rocky Linux to provide its own sub-packages with facility specifications and RPM trigger scripts for other packages coming from EL. This way, we can <code>control</code> those facilities and have custom settings persist (be automatically saved and restored) over package upgrades without us having to maintain forks of those other packages.</p>
|
||||
<p>Initially, there are 2 sub-packages:</p>
|
||||
<h4 id="control">control<a class="headerlink" href="#control" title="Permanent link">¶</a></h4>
|
||||
<p>The main package providing the common interface, but no facilities of its own.
|
||||
Please refer to <code>control(8)</code> man page for command-line usage syntax.</p>
|
||||
<h4 id="control-shadow">control-shadow<a class="headerlink" href="#control-shadow" title="Permanent link">¶</a></h4>
|
||||
<p>Facility files corresponding to the <code>shadow-utils</code> package. Currently, these allow to <code>control</code> access to 5 privileged programs (3 of them are by default SUID root and 2 <code>cap_setuid=ep</code>, thus posing risk to system security in case of vulnerabilities in them).</p>
|
||||
<div class="highlight"><pre><span></span><code># control
|
||||
chage public (public restricted)
|
||||
<p>The available facilities, their current settings, and lists of possible settings can be queried by running the <code>control</code> command without parameters. With all currently available sub-packages installed, its output may be:</p>
|
||||
<div class="highlight"><pre><span></span><code>chage public (public restricted)
|
||||
gpasswd public (public wheelonly restricted)
|
||||
mount public (public wheelonly unprivileged restricted)
|
||||
newgidmap public (public wheelonly restricted)
|
||||
newgrp public (public wheelonly restricted)
|
||||
newuidmap public (public wheelonly restricted)
|
||||
write public (public restricted)
|
||||
</code></pre></div>
|
||||
<p>The default settings (typically <code>public</code>) correspond to EL packages' defaults (and are typically the most relaxed security-wise).</p>
|
||||
<p>Please refer to <code>control(8)</code> man page for command-line usage syntax.</p>
|
||||
<h3 id="sub-packages">Sub-packages<a class="headerlink" href="#sub-packages" title="Permanent link">¶</a></h3>
|
||||
<p>Currently, there are 3 sub-packages:</p>
|
||||
<h4 id="control">control<a class="headerlink" href="#control" title="Permanent link">¶</a></h4>
|
||||
<p>The main package providing the common interface, but no facilities of its own.</p>
|
||||
<h4 id="control-shadow-utils">control-shadow-utils<a class="headerlink" href="#control-shadow-utils" title="Permanent link">¶</a></h4>
|
||||
<p>Facility specifications corresponding to the <code>shadow-utils</code> package. Currently, these allow to <code>control</code> access to 5 privileged programs - 3 of them (<code>chage</code>, <code>gpasswd</code>, and <code>newgrp</code>) are by default SUID root and 2 (<code>newuidmap</code> and <code>newgidmap</code>) are <code>cap_setuid=ep</code>.</p>
|
||||
<h4 id="control-util-linux">control-util-linux<a class="headerlink" href="#control-util-linux" title="Permanent link">¶</a></h4>
|
||||
<p>Facility specifications corresponding to the <code>util-linux</code> and <code>util-linux-core</code> packages. Currently, these allow to <code>control</code> access to 3 privileged programs - 2 of them (<code>mount</code> and <code>umount</code>) are by default SUID root and 1 (<code>write</code>) SGID <code>tty</code>.</p>
|
||||
<h3 id="change-log">Change log<a class="headerlink" href="#change-log" title="Permanent link">¶</a></h3>
|
||||
<div class="highlight"><pre><span></span><code>* Mon Dec 18 2023 Solar Designer <solar@openwall.com> 0.8.0-4
|
||||
- Add sub-package with facilities and triggers for util-linux
|
||||
|
||||
* Mon Dec 18 2023 Solar Designer <solar@openwall.com> 0.8.0-3
|
||||
- Rename the shadow sub-package to shadow-utils
|
||||
- Rename the source files not to differentiate them by sub-package
|
||||
- Add "Requires: shadow-utils" in the shadow-utils sub-package
|
||||
|
||||
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-2
|
||||
- In addition to Requires(pre), also use Requires in the sub-package
|
||||
- In %%triggerprein_control, pre-check that the facility exists
|
||||
- Use (renamed) copies of the trigger macros within this spec file
|
||||
|
||||
* Wed Dec 13 2023 Solar Designer <solar@openwall.com> 0.8.0-1
|
||||
- Add macros for use in RPM triggers
|
||||
- Add sub-package with facilities and triggers for shadow-utils
|
||||
|
||||
* Wed Dec 6 2023 Solar Designer <solar@openwall.com> 0.8.0-0
|
||||
- Initial packaging for EL based on ALT Linux and Owl packages
|
||||
</code></pre></div>
|
||||
|
||||
|
||||
@ -744,7 +799,7 @@ newuidmap public (public wheelonly restricted)
|
||||
<span class="md-icon" title="Last update">
|
||||
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24"><path d="M21 13.1c-.1 0-.3.1-.4.2l-1 1 2.1 2.1 1-1c.2-.2.2-.6 0-.8l-1.3-1.3c-.1-.1-.2-.2-.4-.2m-1.9 1.8-6.1 6V23h2.1l6.1-6.1-2.1-2M12.5 7v5.2l4 2.4-1 1L11 13V7h1.5M11 21.9c-5.1-.5-9-4.8-9-9.9C2 6.5 6.5 2 12 2c5.3 0 9.6 4.1 10 9.3-.3-.1-.6-.2-1-.2s-.7.1-1 .2C19.6 7.2 16.2 4 12 4c-4.4 0-8 3.6-8 8 0 4.1 3.1 7.5 7.1 7.9l-.1.2v1.8Z"/></svg>
|
||||
</span>
|
||||
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 14, 2023</span>
|
||||
<span class="git-revision-date-localized-plugin git-revision-date-localized-plugin-date">December 18, 2023</span>
|
||||
</span>
|
||||
|
||||
|
||||
|
File diff suppressed because one or more lines are too long
20
sitemap.xml
20
sitemap.xml
@ -2,52 +2,52 @@
|
||||
<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9">
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/issues/CVE-2023-23583/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/issues/CVE-2023-4911/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/control/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/glibc/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/hardened_malloc/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/lkrg/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/microcode_ctl/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/openssh/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
<url>
|
||||
<loc>https://sig-security.rocky.page/packages/passwdqc/</loc>
|
||||
<lastmod>2023-12-14</lastmod>
|
||||
<lastmod>2023-12-18</lastmod>
|
||||
<changefreq>daily</changefreq>
|
||||
</url>
|
||||
</urlset>
|
BIN
sitemap.xml.gz
BIN
sitemap.xml.gz
Binary file not shown.
Loading…
Reference in New Issue
Block a user