#1267 PR merged
: Added required libs and files for curl with HTTPs by default¶
Labels: enhancement
, cleanup
, fixed / solved / done
didacog opened issue at 2017-03-28 09:53:¶
This PR will add support for curl (HTTPS)
brief description of changes:
Added required LIBS and files to /usr/share/rear/conf/GNU/Linux.conf and remove them from /usr/share/rear/init/default/010_set_drlm_env.sh
This code has been tested on RHEL/CentOS, SLES/OpenSUSE and Debian/Ubuntu.
didacog commented at 2017-03-28 12:05:¶
Hi @jsmeix,
Any suggestion will be appreciated, I just added the libs and files because now curl is added by default and just in order to work over HTTP and HTTPs without issues.
Regards,
jsmeix commented at 2017-03-28 12:17:¶
I think it would be rather unexpected nowadays
when curl works via HTTP but not via HTTPS
so that I think this pull request should be merged "as is".
Later - preferably only when a user can show some evidence
that nowadays the recovery system is too big - we could add
support for things like LIBS_EXCLUDE / PROGS_EXCLUDE
FYI:
Since I impemented FIRMWARE_FILES support
the user can make his recovery system really noticeable
smaller compared to what it was before,
cf.
https://github.com/rear/rear/issues/1216
didacog commented at 2017-03-28 12:21:¶
Yes, I've seen that issue ;-)
Thx!
jsmeix commented at 2017-03-28 12:53:¶
This is a follow up for https://github.com/rear/rear/pull/1248
jsmeix commented at 2017-04-05 11:47:¶
@didacog
in
https://github.com/rear/rear/pull/1278#issuecomment-291835588
I am thinking about whether or not the
current default setting in conf/GNU/Linux.conf
COPY_AS_IS=( ... /etc/ssl/certs/* /etc/pki/* )
could lead to security issues.
Reason:
As far as I understand it - in /etc/ssl/certs or /etc/pki
also self-generated private stuff could be stored
which would then by default get copied into the
ReaR recovery system.
But by default the ReaR recovery system should not contain
confidential or private stuff (as far as I remember what
@schlomo wrote a longer time ago) unless the user
had explicitly configured something.
didacog commented at 2017-04-05 12:00:¶
@jsmeix
This is required by curl with https, there are stored de distribution
provided certificates installed from packages, nothing confidential.
Usually the public verified certs, and not private keys as far as I
know.
For example the private keys are stored in /etc/ssl/private (not
copied)
In /etc/pki maybe /etc/pki/tls/private should be excluded.
gdha commented at 2017-04-05 12:01:¶
@didacog Good catch - try to exclude all private keys.
didacog commented at 2017-04-05 12:04:¶
@gdha @jsmeix I will try to adjust it and send a new pull request excluding private keys location from /etc/pki.
didacog commented at 2017-04-05 12:17:¶
I guess this should work:
In usr/share/rear/conf/GNU/Linux.conf:
COPY_AS_IS_EXCLUDE=( ${COPY_AS_IS_EXCLUDE[@]:-} dev/shm/\* /etc/pki/private/* )
Let me test and check if more stuff should be excluded before PR.
jsmeix commented at 2017-04-05 12:31:¶
@didacog
when you work on it could you add some explanatory
comments directly in the code that tell about why
stuff is included and other stuff is excluded so that
others can even a longer time later still understand
the reasons behind, cf.
https://github.com/rear/rear/wiki/Coding-Style
To get comments at the right place inside longer bash arrays
I would suggest to do it somehow like this:
COPY_AS_IS=( ${COPY_AS_IS[@]:-} /dev /etc/inputr[c] /etc/protocols /etc/services /etc/rpc /etc/termcap /etc/terminfo /lib*/terminfo /usr/share/terminfo /etc/netconfig /etc/mke2 fs.conf /etc/*-release /etc/localtime /etc/magic /usr/share/misc/magic /etc/dracut.conf /etc/dracut.conf.d /usr/lib/dracut /sbin/modprobe.ksplice-orig /etc/sysctl.conf /etc/sys ctl.d /etc/e2fsck.conf ) # Required by curl with https: # There are stored the distribution provided certificates # installed from packages, nothing confidential. # Usually the public verified certs, and not private keys. # The private keys are stored in /etc/ssl/private (not copied) # In /etc/pki maybe /etc/pki/tls/private is excluded (see below). COPY_AS_IS=( "${COPY_AS_IS[@]}" '/etc/ssl/certs/*' '/etc/pki/*' ) # exclude /dev/shm/*, due to the way we use tar the leading / should be omitted COPY_AS_IS_EXCLUDE=( ${COPY_AS_IS_EXCLUDE[@]:-} dev/shm/\* ) # Exclude /etc/pki/tls/private (cf. above): COPY_AS_IS_EXCLUDE=( "${COPY_AS_IS_EXCLUDE[@]}" '/etc/pki/private/*' )
Note that using ${VAR[@]} without double-quotes is problematic
so that one should use "${VAR[@]}" see 'Arrays' in "man bash"
and see
https://github.com/rear/rear/issues/1068
Furthermore I wonder if bash globbing must be
avoided for values like /path/to/something/*
by using single quotes '/path/to/something/*'
or if bash globbing is intended by not using single quotes?
didacog commented at 2017-04-05 14:25:¶
@jsmeix @gdha
I've sent a PR #1279 with the changes tested.
Finally, to exclude all priivate keys:
/etc/pki/tls/private
/etc/pki/CA/private
/etc/pki/nssdb/key*.db
Regards,
jsmeix commented at 2017-04-05 14:52:¶
I "just merged"
https://github.com/rear/rear/pull/1279
to get that possible security issue solved as fast as possible.
[Export of Github issue for rear/rear.]