packages/cockpit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:41c4ff8a3eacf19df3c09b47b8a02c80c09f846a
Branches Tags
packages:main
..
compare: packages:61c7993e2e2099dee04376c10a78117f429857df
Branches Tags
packages:main

No commits in common. "41c4ff8a3eacf19df3c09b47b8a02c80c09f846a" and "61c7993e2e2099dee04376c10a78117f429857df" have entirely different histories.
41c4ff8a3e ... 61c7993e2e

4 changed files with 3 additions and 918 deletions
Show Stats Expand all files Collapse all files

692
0001-add-more-zh_CN-translation-for-i18n.patch
View File

@ -1,692 +0,0 @@
From 30e1e26186f10210c9b65cca0b014ea376162c0e Mon Sep 17 00:00:00 2001
From: hanjinpeng <hanjinpeng@kylinos.cn>
Date: Fri, 15 Jul 2022 21:03:17 +0800
Subject: [PATCH] add more zh_CN translation for i18n
---
dist/systemd/po.zh_CN.js | 192 +++++++++++++++++++--------------------
1 file changed, 96 insertions(+), 96 deletions(-)
diff --git a/dist/systemd/po.zh_CN.js b/dist/systemd/po.zh_CN.js
index eb45f32..31b7059 100644
--- a/dist/systemd/po.zh_CN.js
+++ b/dist/systemd/po.zh_CN.js
@@ -81,7 +81,7 @@ return plural;
],
"$0 is not available from any repository.": [
null,
- ""
+ "$0 在任何一个仓库不可使用"
],
"$0 minute": [
"$0 minutes",
@@ -97,7 +97,7 @@ return plural;
],
"$0 will be installed.": [
null,
- ""
+ "$0 将要被安装"
],
"$0 year": [
"$0 years",
@@ -289,11 +289,11 @@ return plural;
],
"Additional packages:": [
null,
- ""
+ "附加包"
],
"Advanced TCA": [
null,
- ""
+ "高级 TCA"
],
"After": [
null,
@@ -305,11 +305,11 @@ return plural;
],
"Alert and above": [
null,
- ""
+ "Alert 及更高级别"
],
"All In One": [
null,
- ""
+ "多合一"
],
"Asset Tag": [
null,
@@ -329,43 +329,43 @@ return plural;
],
"BIOS": [
null,
- ""
+ "BIOS"
],
"BIOS date": [
null,
- ""
+ "BIOS日期"
],
"BIOS version": [
null,
- ""
+ "BIOS版本"
],
"Before": [
null,
- ""
+ "之前"
],
"Binds To": [
null,
- ""
+ "绑定到"
],
"Blade": [
null,
- ""
+ "刀片"
],
"Blade enclosure": [
null,
- ""
+ "刀片机箱"
],
"Bound By": [
null,
- ""
+ "边界为"
],
"Bug Fix Updates Available": [
null,
- ""
+ "可利用的bug修复"
],
"Bus Expansion Chassis": [
null,
- ""
+ "总线扩展机箱"
],
"CPU": [
null,
@@ -397,19 +397,19 @@ return plural;
],
"Checking for updates…": [
null,
- ""
+ "检查更新"
],
"Checking installed software": [
null,
- ""
+ "检查安装的软件"
],
"Class": [
null,
- ""
+ "分类"
],
"Click to see system hardware information": [
null,
- ""
+ "点击查看系统硬件信息"
],
"Close": [
null,
@@ -421,7 +421,7 @@ return plural;
],
"Compact PCI": [
null,
- ""
+ "紧凑型 PCI"
],
"Condition $0=$1 was not met": [
null,
@@ -433,19 +433,19 @@ return plural;
],
"Conflicted By": [
null,
- ""
+ "冲突于"
],
"Conflicts": [
null,
- ""
+ "冲突"
],
"Consists Of": [
null,
- ""
+ "组成"
],
"Convertible": [
null,
- ""
+ "可转换"
],
"Create Timer": [
null,
@@ -457,7 +457,7 @@ return plural;
],
"Critical and above": [
null,
- ""
+ "Critical 及更高级别"
],
"Current boot": [
null,
@@ -465,7 +465,7 @@ return plural;
],
"Debug and above": [
null,
- ""
+ "Debug 及更高级别"
],
"Delay": [
null,
@@ -477,11 +477,11 @@ return plural;
],
"Desktop": [
null,
- ""
+ "桌面"
],
"Detachable": [
null,
- ""
+ "可拆卸"
],
"Disable": [
null,
@@ -497,7 +497,7 @@ return plural;
],
"Docking Station": [
null,
- ""
+ "扩展坞"
],
"Domain": [
null,
@@ -509,11 +509,11 @@ return plural;
],
"Downloading $0": [
null,
- ""
+ "正在下载 $0"
],
"Embedded PC": [
null,
- ""
+ "嵌入式 PC"
],
"Enable": [
null,
@@ -525,7 +525,7 @@ return plural;
],
"Enable persistent metrics…": [
null,
- ""
+ "启用持久性指标..."
],
"Enabled": [
null,
@@ -533,7 +533,7 @@ return plural;
],
"Enhancement Updates Available": [
null,
- ""
+ "增强可利用的更新"
],
"Entry": [
null,
@@ -545,7 +545,7 @@ return plural;
],
"Error and above": [
null,
- ""
+ "Error 及更高级别"
],
"Everything": [
null,
@@ -553,7 +553,7 @@ return plural;
],
"Expansion Chassis": [
null,
- ""
+ "总线扩展机箱"
],
"Free": [
null,
@@ -577,7 +577,7 @@ return plural;
],
"Hand Held": [
null,
- ""
+ "手持式"
],
"Hardware": [
null,
@@ -585,7 +585,7 @@ return plural;
],
"Hardware Information": [
null,
- ""
+ "硬件信息"
],
"Host Name": [
null,
@@ -613,7 +613,7 @@ return plural;
],
"Info and above": [
null,
- ""
+ "Info 及更高级别"
],
"Install": [
null,
@@ -621,11 +621,11 @@ return plural;
],
"Install Software": [
null,
- ""
+ "安装的软件"
],
"Installing $0": [
null,
- ""
+ "正在安装 $0"
],
"Instantiate": [
null,
@@ -657,11 +657,11 @@ return plural;
],
"IoT Gateway": [
null,
- ""
+ "IoT 网关"
],
"Joins Namespace Of": [
null,
- ""
+ "加入命名空间"
],
"Journal": [
null,
@@ -681,7 +681,7 @@ return plural;
],
"Laptop": [
null,
- ""
+ "笔记本电脑"
],
"Last 24 hours": [
null,
@@ -713,11 +713,11 @@ return plural;
],
"Low Profile Desktop": [
null,
- ""
+ "低调桌面"
],
"Lunch Box": [
null,
- ""
+ "主机类型"
],
"Machine ID": [
null,
@@ -729,7 +729,7 @@ return plural;
],
"Main Server Chassis": [
null,
- ""
+ "主服务器机箱"
],
"Manually": [
null,
@@ -753,11 +753,11 @@ return plural;
],
"Mini PC": [
null,
- ""
+ "迷你 PC"
],
"Mini Tower": [
null,
- ""
+ "迷你电脑"
],
"Minute needs to be a number between 0-59": [
null,
@@ -769,7 +769,7 @@ return plural;
],
"Model": [
null,
- ""
+ "型号"
],
"Monday": [
null,
@@ -825,11 +825,11 @@ return plural;
],
"Notebook": [
null,
- ""
+ "笔记本"
],
"Notice and above": [
null,
- ""
+ "Notice 及更高级别"
],
"Off": [
null,
@@ -849,7 +849,7 @@ return plural;
],
"Only Emergency": [
null,
- ""
+ "只有紧急情况"
],
"Only alphabets, numbers, : , _ , . , @ , - are allowed.": [
null,
@@ -861,11 +861,11 @@ return plural;
],
"Other": [
null,
- ""
+ "其他"
],
"PCI": [
null,
- ""
+ "PCI"
],
"PackageKit crashed": [
null,
@@ -873,7 +873,7 @@ return plural;
],
"Part Of": [
null,
- ""
+ "部分"
],
"Paths": [
null,
@@ -885,15 +885,15 @@ return plural;
],
"Peripheral Chassis": [
null,
- ""
+ "外设机箱"
],
"Pizza Box": [
null,
- ""
+ "披萨盒"
],
"Portable": [
null,
- ""
+ "可移植"
],
"Power Options": [
null,
@@ -913,23 +913,23 @@ return plural;
],
"Problem details": [
null,
- ""
+ "问题详情"
],
"Problem info": [
null,
- ""
+ "问题信息"
],
"Propagates Reload To": [
null,
- ""
+ "传播重新加载到"
],
"RAID Chassis": [
null,
- ""
+ "RAID 机箱"
],
"Rack Mount Chassis": [
null,
- ""
+ "机架式机箱"
],
"Real Host Name": [
null,
@@ -957,15 +957,15 @@ return plural;
],
"Reload Propagated From": [
null,
- ""
+ "重新加载的传播来自"
],
"Removals:": [
null,
- ""
+ "移除"
],
"Removing $0": [
null,
- ""
+ "正在删除 $0"
],
"Repeat Daily": [
null,
@@ -989,11 +989,11 @@ return plural;
],
"Report": [
null,
- ""
+ "报告"
],
"Reported": [
null,
- ""
+ "已报告"
],
"Reporter 'reporter-ureport' not found.": [
null,
@@ -1005,19 +1005,19 @@ return plural;
],
"Required By": [
null,
- ""
+ "要求自"
],
"Requires": [
null,
- ""
+ "要求"
],
"Requisite": [
null,
- ""
+ "必要"
],
"Requisite Of": [
null,
- ""
+ "必备的"
],
"Reset": [
null,
@@ -1041,7 +1041,7 @@ return plural;
],
"Sealed-case PC": [
null,
- ""
+ "密封式 PC"
],
"Seconds": [
null,
@@ -1053,7 +1053,7 @@ return plural;
],
"Security Updates Available": [
null,
- ""
+ "可利用的安全更新"
],
"Service Logs": [
null,
@@ -1093,7 +1093,7 @@ return plural;
],
"Slot": [
null,
- ""
+ "槽"
],
"Sockets": [
null,
@@ -1101,7 +1101,7 @@ return plural;
],
"Space-saving Computer": [
null,
- ""
+ "节省空间的计算机"
],
"Specific Time": [
null,
@@ -1121,7 +1121,7 @@ return plural;
],
"Stick PC": [
null,
- ""
+ "PC 棒"
],
"Stop": [
null,
@@ -1133,11 +1133,11 @@ return plural;
],
"Sub Chassis": [
null,
- ""
+ "子机箱"
],
"Sub Notebook": [
null,
- ""
+ "子笔记本"
],
"Sunday": [
null,
@@ -1161,11 +1161,11 @@ return plural;
],
"System Information": [
null,
- ""
+ "系统信息"
],
"System Not Registered": [
null,
- ""
+ "系统没有注册"
],
"System Services": [
null,
@@ -1177,11 +1177,11 @@ return plural;
],
"System Up To Date": [
null,
- ""
+ "系统最新"
],
"Tablet": [
null,
- ""
+ "平板"
],
"Targets": [
null,
@@ -1197,11 +1197,11 @@ return plural;
],
"The user <b>$0</b> is not permitted to change the system time": [
null,
- ""
+ "用户 <b>$0</b> 不允许改变系统时间"
],
"The user <b>$0</b> is not permitted to enable or disable services": [
null,
- ""
+ "用户 <b>$0</b> 不允许启用或者禁用服务"
],
"The user <b>$0</b> is not permitted to modify hostnames": [
null,
@@ -1245,15 +1245,15 @@ return plural;
],
"Total size: $0": [
null,
- ""
+ "总大小: $0"
],
"Tower": [
null,
- ""
+ "塔"
],
"Triggered By": [
null,
- ""
+ "被触发"
],
"Triggers": [
null,
@@ -1281,11 +1281,11 @@ return plural;
],
"Updates Available": [
null,
- ""
+ "可利用更新"
],
"Usage of $0 CPU core": [
"Usage of $0 CPU cores",
- ""
+ "$0 CPU核心的使用量"
],
"Used": [
null,
@@ -1297,7 +1297,7 @@ return plural;
],
"Vendor": [
null,
- ""
+ "厂商"
],
"Version": [
null,
@@ -1305,19 +1305,19 @@ return plural;
],
"Waiting for other software management operations to finish": [
null,
- ""
+ "等待其他软件管理操作完成"
],
"Wanted By": [
null,
- ""
+ "需要于"
],
"Wants": [
null,
- ""
+ "需要"
],
"Warning and above": [
null,
- ""
+ "Warning 及更高级别"
],
"Wednesday": [
null,
--
2.27.0

78
backport-CVE-2020-35850.patch
View File

@ -1,78 +0,0 @@
From 29500b32c66dff16ec4aabf119a5772f007a007e Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Wed, 5 Apr 2023 17:03:45 +0200
Subject: [PATCH] ws: Disallow direct URL logins with LoginTo=false
The current documentation of LoginTo= isn't very specific about what
exactly happens with a "false" value; but it is plausible for an admin
to assume that "false" would disallow logging into a remote host
completely -- not merely hide the "Connect to:" field and then allowing
a direct URL login anyway.
It is sometimes important to disallow direct SSH logins from the login
page on publicly exposed bastion hosts, as this functionality allows
unauthenticated remote users to:
- scan the internal network for existing hosts, which might otherwise
not be accessible directly from the internet
(Fixes #18540, https://bugzilla.redhat.com/show_bug.cgi?id=2167006)
- scan the cockpit-ws host or internal network hosts for open ports
(Fixes #15077, https://bugzilla.redhat.com/show_bug.cgi?id=2018741)
So change ws to reject direct URL logins with `LoginTo=false`. This
happens most naturally in cockpit_session_launch(), as we still want to
allow remote URLs from the shell's host switcher in already
authenticated sessions. This will not produce a very friendly error
message, but it doesn't have to be -- at that point specifying direct
URLs can be considered hacking anyway.
Clarify the documentation accordingly.
Reference:https://github.com/cockpit-project/cockpit/commit/29500b32c66dff16ec4aabf119a5772f007a007e
Conflict:return NULL -> goto out;adapt context;delete test
---
doc/man/cockpit.conf.xml | 12 +++++++++---
src/ws/cockpitauth.c | 7 +++++++
2 files changed, 16 insertions(+), 3 deletions(-)
diff --git a/doc/man/cockpit.conf.xml b/doc/man/cockpit.conf.xml
index 798e1f3f5bf..eced0ebaaa2 100644
--- a/doc/man/cockpit.conf.xml
+++ b/doc/man/cockpit.conf.xml
@@ -87,9 +87,15 @@ ForwardedForHeader = X-Forwarded-For
<term><option>LoginTo</option></term>
<listitem>
<para>When set to <literal>true</literal> the <emphasis>Connect to</emphasis> option
- on the login screen is visible and allows logging into another server. If this
- option is not specified then it will be automatically detected based on whether
- the <command>cockpit-ssh</command> process is available or not.</para>
+ on the login screen is visible and allows logging into another server. When set to
+ <literal>false</literal>, direct remote logins are disallowed. If this option is not specified
+ then it will be automatically detected based on whether the
+ <command>cockpit-ssh</command> process is available or not.</para>
+
+ <para>If cockpit-ws is exposed to the public internet, and also has access to a private
+ internal network, it is recommended to explicitly set <literal>LoginTo=false</literal>. This prevents
+ unauthenticated remote attackers from scanning the internal network for existing machines
+ and open ports.</para>
</listitem>
</varlistentry>
<varlistentry>
diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c
index bc62663d78a..9639a9c84de 100644
--- a/src/ws/cockpitauth.c
+++ b/src/ws/cockpitauth.c
@@ -1011,6 +1011,13 @@ cockpit_session_create (CockpitAuth *self,
goto out;
}
+ /* this might be unset, which means "allow if cockpit-ssh is installed"; if it isn't, this will fail later on */
+ if (host && !cockpit_conf_bool ("WebService", "LoginTo", TRUE)) {
+ g_set_error (error, COCKPIT_ERROR, COCKPIT_ERROR_AUTHENTICATION_FAILED,
+ "Direct remote login is disabled");
+ goto out;
+ }
+
/* These are the credentials we'll carry around for this session */
creds = build_session_credentials (self, connection, headers,
application, type, authorization);

122
backport-CVE-2024-6126.patch
View File

@ -1,122 +0,0 @@
From 08965365ac311f906a520cbf65427742d5f84ba4 Mon Sep 17 00:00:00 2001
From: Martin Pitt <mpitt@redhat.com>
Date: Mon, 10 Jun 2024 10:49:56 +0200
Subject: [PATCH] pam-ssh-add: Fix insecure killing of session ssh-agent
[CVE-2024-6126]
Some distributions like Debian 12, or possibly some administrators
enable pam_env's deprecated `user_readenv` option [1]. The user session
can change the `$SSH_AGENT_PID`, so that it can pass an arbitrary pid to
`pam_sm_close_session()`. This is a local authenticated DoS.
Avoid this by storing the agent pid in a global variable. The
cockpit-session process stays around for the entire session time, so we
don't need to put the pid into the PAM data.
It can also happen that the user session's ssh-agent gets killed, and
some other process later on recycles the PID. Temporarily drop
privileges to the target user so that we at least don't kill anyone
else's process.
Add an integration test which checks that changing the env variable
works, pointing it to a different process doesn't kill that, and
ssh-agent (the original pid) is still cleaned up correctly. However, as
pam_so.env in Fedora crashes hard, skip the test there.
Many thanks to Paolo Perego <paolo.perego@suse.com> for discovering,
and Luna Dragon <luna.dragon@suse.com> for reporting this issue!
[1] https://man7.org/linux/man-pages/man8/pam_env.8.html
CVE-2024-6126
https://bugzilla.redhat.com/show_bug.cgi?id=2290859
Reference:https://github.com/cockpit-project/cockpit/commit/08965365ac311f906a520cbf65427742d5f84ba4
Conflict:include limits.h for ULONG_MAX;remove test
---
src/pam-ssh-add/pam-ssh-add.c | 47 ++++++++++++++++++++++++++++-------
1 file changed, 38 insertions(+), 9 deletions(-)
diff --git a/src/pam-ssh-add/pam-ssh-add.c b/src/pam-ssh-add/pam-ssh-add.c
index d63f06c..71223b7 100644
--- a/src/pam-ssh-add/pam-ssh-add.c
+++ b/src/pam-ssh-add/pam-ssh-add.c
@@ -33,6 +33,7 @@
#include <signal.h>
#include <assert.h>
#include <errno.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <stdarg.h>
@@ -54,6 +55,9 @@ const char *pam_ssh_agent_arg = NULL;
const char *pam_ssh_add_program = PATH_SSH_ADD;
const char *pam_ssh_add_arg = NULL;
+static unsigned long ssh_agent_pid;
+static uid_t ssh_agent_uid;
+
/* Environment */
#define ENVIRON_SIZE 5
#define PATH "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
@@ -938,6 +942,25 @@ start_agent (pam_handle_t *pamh,
error ("couldn't set agent environment: %s",
pam_strerror (pamh, res));
}
+
+ /* parse and store the agent pid for later cleanup */
+ if (strncmp (auth_pid, "SSH_AGENT_PID=", 14) == 0)
+ {
+ unsigned long pid = strtoul (auth_pid + 14, NULL, 10);
+ if (pid > 0 && pid != ULONG_MAX)
+ {
+ ssh_agent_pid = pid;
+ ssh_agent_uid = auth_pwd->pw_uid;
+ }
+ else
+ {
+ error ("invalid SSH_AGENT_PID value: %s", auth_pid);
+ }
+ }
+ else
+ {
+ error ("unexpected agent pid format: %s", auth_pid);
+ }
}
free (auth_socket);
@@ -1024,19 +1047,25 @@ pam_sm_close_session (pam_handle_t *pamh,
int argc,
const char *argv[])
{
- const char *s_pid;
- int pid = 0;
parse_args (argc, argv);
/* Kill the ssh agent we started */
- s_pid = pam_getenv (pamh, "SSH_AGENT_PID");
- if (s_pid)
- pid = atoi (s_pid);
-
- if (pid > 0)
+ if (ssh_agent_pid > 0)
{
- debug ("Closing %d", pid);
- kill (pid, SIGTERM);
+ debug ("Closing %lu", ssh_agent_pid);
+ /* kill as user to guard against crashing ssh-agent and PID reuse */
+ if (setresuid (ssh_agent_uid, ssh_agent_uid, -1) < 0)
+ {
+ error ("could not drop privileges for killing ssh agent: %m");
+ return PAM_SESSION_ERR;
+ }
+ if (kill (ssh_agent_pid, SIGTERM) < 0 && errno != ESRCH)
+ message ("could not kill ssh agent %lu: %m", ssh_agent_pid);
+ if (setresuid (0, 0, -1) < 0)
+ {
+ error ("could not restore privileges after killing ssh agent: %m");
+ return PAM_SESSION_ERR;
+ }
}
return PAM_SUCCESS;
}

29
cockpit.spec
View File

@ -1,7 +1,7 @@
%bcond_with pcp
Name: cockpit
Version: 178
Release: 17
Release: 13
Summary: A easy-to-use, integrated, glanceable, and open web-based interface for Linux servers
License: LGPLv2+
URL: https://cockpit-project.org/
@ -10,10 +10,6 @@ Source0: https://github.com/cockpit-project/cockpit/releases/download/%{v
Patch6000: CVE-2019-3804.patch
Patch6001: backport-0001-CVE-2021-3660.patch
Patch6002: backport-0002-CVE-2021-3660.patch
Patch6003: backport-CVE-2020-35850.patch
Patch6004: backport-CVE-2024-6126.patch
Patch9000: 0001-add-more-zh_CN-translation-for-i18n.patch
BuildRequires: gcc
BuildRequires: pkgconfig(gio-unix-2.0) pkgconfig(json-glib-1.0) pkgconfig(polkit-agent-1) >= 0.105 pam-devel
@ -78,6 +74,8 @@ Requires: cockpit-bridge >= 122
Requires: cockpit-system >= 122
Requires: libvirt
Requires: libvirt-client
# Optional components
Recommends: virt-install
%description cockpit-machines
The Cockpit components for managing virtual machines.
@ -212,27 +210,6 @@ test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
%doc %{_mandir}/man8/{cockpit-ws.8.gz,remotectl.8.gz,pam_ssh_add.8.gz}
%changelog
* Thu Jul 04 2024 lingsheng <lingsheng1@h-partners.com> - 178-17
- fix CVE-2024-6126 patch name
* Thu Jul 04 2024 lingsheng <lingsheng1@h-partners.com> - 178-16
- Type:CVE
- ID:CVE-2024-6126
- SUG:restart
- DESC:fix CVE-2024-6126
* Wed May 22 2024 lingsheng <lingsheng1@h-partners.com> - 178-15
- Type:NA
- ID:NA
- SUG:NA
- DESC:add more zh_CN translation for i18n
* Sun Apr 28 2024 lingsheng <lingsheng1@h-partners.com> - 178-14
- Type:CVE
- ID:CVE-2020-35850
- SUG:restart
- DESC:fix CVE-2020-35850
* Tue Jan 10 2023 zhangpan <zhangpan@h-partners.com> - 178-13
- Type:NA
- Id:NA