From 7bbb73574b44972b0c1b364e24f71623068d7a1c Mon Sep 17 00:00:00 2001 From: "Robin H. Johnson" Date: Thu, 26 Feb 2015 17:58:22 -0800 Subject: bootmisc: clean_run safety improvements. If /tmp or / are read-only, the clean_run function can fail in some very bad ways. 1. dir=$(mktemp -d) returns an EMPTY string on error. 2. "mount -o bind / $dir", and don't check the result of that, 3. "rm -rf $dir/run/*", which removes the REAL /run contents 4. box gets very weird from this point forward Signed-Off-By: Robin H. Johnson Signed-Off-By: Chip Parker Reported-by: Chip Parker Tested-by: Chip Parker --- init.d/bootmisc.in | 29 +++++++++++++++++++++++++---- 1 file changed, 25 insertions(+), 4 deletions(-) diff --git a/init.d/bootmisc.in b/init.d/bootmisc.in index 2ec075f3..dbd258e8 100644 --- a/init.d/bootmisc.in +++ b/init.d/bootmisc.in @@ -119,11 +119,32 @@ clean_run() { [ "$RC_SYS" = VSERVER -o "$RC_SYS" = LXC ] && return 0 local dir + # If / is still read-only due to a problem, this will fail! + if ! checkpath -W /; then + eerror "/ is not writable; unable to clean up underlying /run" + return 1 + fi + if ! checkpath -W /tmp; then + eerror "/tmp is not writable; unable to clean up underlying /run" + return 1 + fi + # Now we know that we can modify /tmp and / + # if mktemp -d fails, it returns an EMPTY string + # STDERR: mktemp: failed to create directory via template ‘/tmp/tmp.XXXXXXXXXX’: Read-only file system + # STDOUT: '' + rc=0 dir=$(mktemp -d) - mount --bind / $dir - rm -rf $dir/run/* - umount $dir - rm -rf $dir + if [ -n "$dir" -a -d $dir -a -w $dir ]; then + mount --bind / $dir && rm -rf $dir/run/* || rc=1 + umount $dir + rm -rf $dir + else + rc=1 + fi + if [ $rc -ne 0 ]; then + eerror "Could not clean up underlying /run on /" + return 1 + fi } start() -- cgit v1.2.3