summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLamont Granquist <lamont@scriptkiddie.org>2018-12-13 14:20:49 -0800
committerLamont Granquist <lamont@scriptkiddie.org>2018-12-13 14:20:49 -0800
commitcfa45b928007e5b9b90a31ad79cd5cbf2b03c9f4 (patch)
tree83c867743265a2edbb002a0ee826fb0de9b7cbc2
parent190e39fcb17240b8ac07d7c5784d77417137e206 (diff)
downloadchef-cfa45b928007e5b9b90a31ad79cd5cbf2b03c9f4.tar.gz
fix copypasta bug and theoretical security bug
Signed-off-by: Lamont Granquist <lamont@scriptkiddie.org>
-rwxr-xr-xomnibus/package-scripts/angrychef/preinst10
-rwxr-xr-xomnibus/package-scripts/chef-fips/preinst10
-rwxr-xr-xomnibus/package-scripts/chef/preinst8
3 files changed, 20 insertions, 8 deletions
diff --git a/omnibus/package-scripts/angrychef/preinst b/omnibus/package-scripts/angrychef/preinst
index 0baebe07f4..870bd5fc37 100755
--- a/omnibus/package-scripts/angrychef/preinst
+++ b/omnibus/package-scripts/angrychef/preinst
@@ -7,11 +7,15 @@
# this programming language. do not touch.
# - if you are under 40, get peer review from your elders.
-INSTALLER_DIR=/opt/chef
+INSTALLER_DIR=/opt/angrychef
echo "removing $INSTALLER_DIR..."
-# we have to move the dir before trying to wipe it and then ignore errors since
-# files may still be in use.
+# have to do this dance of moving /opt/chef to a tmp dir since files may be in use
tmp_dir="/opt/.chef.$$"
+# if we can't create the tmp_dir then fail hard to prevent any possible security hole
+(umask 077 && mkdir $tmp_dir) || exit 1
+# now we can clean up the tmp_dir we created safely
mv $INSTALLER_DIR $tmp_dir
+# ignore errors which must be EBUSY issues, this may crate some litter, which may
+# be unavoidable
rm -rf $tmp_dir || true
diff --git a/omnibus/package-scripts/chef-fips/preinst b/omnibus/package-scripts/chef-fips/preinst
index 0baebe07f4..69909262c9 100755
--- a/omnibus/package-scripts/chef-fips/preinst
+++ b/omnibus/package-scripts/chef-fips/preinst
@@ -7,11 +7,15 @@
# this programming language. do not touch.
# - if you are under 40, get peer review from your elders.
-INSTALLER_DIR=/opt/chef
+INSTALLER_DIR=/opt/chef-fips
echo "removing $INSTALLER_DIR..."
-# we have to move the dir before trying to wipe it and then ignore errors since
-# files may still be in use.
+# have to do this dance of moving /opt/chef to a tmp dir since files may be in use
tmp_dir="/opt/.chef.$$"
+# if we can't create the tmp_dir then fail hard to prevent any possible security hole
+(umask 077 && mkdir $tmp_dir) || exit 1
+# now we can clean up the tmp_dir we created safely
mv $INSTALLER_DIR $tmp_dir
+# ignore errors which must be EBUSY issues, this may crate some litter, which may
+# be unavoidable
rm -rf $tmp_dir || true
diff --git a/omnibus/package-scripts/chef/preinst b/omnibus/package-scripts/chef/preinst
index 0baebe07f4..b3f48258c7 100755
--- a/omnibus/package-scripts/chef/preinst
+++ b/omnibus/package-scripts/chef/preinst
@@ -10,8 +10,12 @@
INSTALLER_DIR=/opt/chef
echo "removing $INSTALLER_DIR..."
-# we have to move the dir before trying to wipe it and then ignore errors since
-# files may still be in use.
+# have to do this dance of moving /opt/chef to a tmp dir since files may be in use
tmp_dir="/opt/.chef.$$"
+# if we can't create the tmp_dir then fail hard to prevent any possible security hole
+(umask 077 && mkdir $tmp_dir) || exit 1
+# now we can clean up the tmp_dir we created safely
mv $INSTALLER_DIR $tmp_dir
+# ignore errors which must be EBUSY issues, this may crate some litter, which may
+# be unavoidable
rm -rf $tmp_dir || true