Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change the system.map file permission only readable by root #329

Merged
merged 1 commit into from
Sep 7, 2023
Merged

Change the system.map file permission only readable by root #329

merged 1 commit into from
Sep 7, 2023

Conversation

xumia
Copy link
Collaborator

@xumia xumia commented Sep 7, 2023

Change the system.map file permission only readable by root

@xumia xumia requested a review from a team as a code owner September 7, 2023 03:06
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 7, 2023
edited
Loading

CLA Signed

The committers listed above are authorized under a signed CLA.

@xumia xumia requested a review from saiarcot895 September 7, 2023 03:06
@xumia
Copy link
Collaborator Author

xumia commented Sep 7, 2023

/easycla

@xumia xumia force-pushed the fix-system-map-permission-issue branch from 8f9285f to 6f91b49 Compare September 7, 2023 03:10
@xumia xumia mentioned this pull request Sep 7, 2023
Closed
11 tasks
@saiarcot895
Copy link
Contributor

Looks like this was opened against an older version of the master branch, can you merge/rebase against the latest changes?

@saiarcot895
Copy link
Contributor

Never mind, I see you updated it now

@saiarcot895 saiarcot895 merged commit fa40db7 into sonic-net:master Sep 7, 2023
5 checks passed
@paulmenzel
Copy link
Contributor

@saiarcot895, why did you merge a “security patch“, that does not contain any information at all about the motivation? Why are Debian’s defaults bad?

@saiarcot895, please revert, and @xumia, please resubmit with proper description.

@saiarcot895
Copy link
Contributor

saiarcot895 commented Sep 7, 2023
edited
Loading

@paulmenzel there are some details in sonic-net/sonic-buildimage#15893.

The short version of it is that as per OpenSCAP, the System.map file must be readable only by root. This is despite the fact that Debian already ships a fake System.map file (since there's almost never a need to use the actual contents of the file at runtime). The options to meet OpenSCAP's requirements are either to make it readable only by root, or to remove it (both of which can be done either at package installation time or during the package build time). Since it would be better to have it be consistently done at package build time (so that manual changes to files from packages are not needed), I recommended having the change be done in this repo via a patch instead.

To be clear, it's not that Debian's defaults are bad/insecure; it's just that some security projects/audits have different requirements that need to be met.

@saiarcot895
Copy link
Contributor

@xumia This patch actually needs to go into the patches/preconfig directory to have any effect. Could you make another PR to fix this?

@xumia
Copy link
Collaborator Author

xumia commented Sep 8, 2023

@xumia This patch actually needs to go into the patches/preconfig directory to have any effect. Could you make another PR to fix this?

@saiarcot895 , thanks, I have sent another PR to fix it, #331

vivekrnv added a commit to vivekrnv/sonic-linux-kernel that referenced this pull request Oct 24, 2023
@vivekrnv
Revert "Change the system.map file permission only readable by root (s…
99031c9 
…onic-net#329)"

This reverts commit fa40db7.
@xumia xumia mentioned this pull request Dec 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saiarcot895 saiarcot895 saiarcot895 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xumia @saiarcot895 @paulmenzel