xCAT-2.5.1-alt0.4.noarch missing-url info Missing Url: in a package.; xCAT-2.5.1-alt0.4.noarch unsafe-tmp-usage-in-scripts fail The test discovered scripts with errors which may be used by a user for damaging important system files. For example if a script uses in its work a temp file which is created in /tmp directory, then every user can create symlinks with the same name (pattern) in this directory in order to destroy or rewrite some system or another user's files. Scripts _must_ _use_ mktemp/tempfile or must use $TMPDIR. mktemp/tempfile is safest. $TMPDIR is safer than /tmp/ because libpam-tmpdir creates a subdirectory of /tmp that is only accessible by that user, and then sets TMPDIR and other variables to that. Hence, it doesn't matter nearly as much if you create a non-random filename, because nobody but you can access it. Found error in /var/lib/xcat/postscripts/xcatinstallpost: $ grep -A5 -B5 /tmp/ /var/lib/xcat/postscripts/xcatinstallpost PATH=/xcatpost:$PATH export PATH chmod +x /xcatpost/*; if [ -x /usr/bin/openssl ]; then SIP=`grep "^MASTER=" /tmp/mypostscript.post |cut -d= -f2` XCATSERVER="$SIP:3001" export XCATSERVER USEOPENSSLFORXCAT=1 #Though this is the only method going forward, flag to allow backward compatibility with 2.2 generated netboot images export USEOPENSSLFORXCAT fi DHCP_TMP=`sed 's/$DHCPINTERFACES=$$.*$$/\1"\2"/' /tmp/mypostscript.post` echo "$DHCP_TMP" > /tmp/mypostscript.post echo "updateflag.awk \$MASTER 3002 \"installstatus booted\"" >> /tmp/mypostscript.post chmod +x /tmp/mypostscript.post if [ -x /tmp/mypostscript.post ];then /tmp/mypostscript.post fi Found error in /var/lib/xcat/postscripts/xcatdsklspost.aix: $ grep -A5 -B5 /tmp/ /var/lib/xcat/postscripts/xcatdsklspost.aix } # check & run the postscript my $scriptname = "/xcatpost/".$shorthost; if ($osname eq "Linux") { $scriptname = "/tmp/mypostscript"; } if (-f $scriptname) { my $rc = system("$scriptname"); if ($rc >> 8) -- print $stunconf "verify=0\n"; print $stunconf "[xcatd]\n"; print $stunconf "accept=400\n"; print $stunconf "connect=$ip:3001\n"; close($stunconf); my $getcmd = "stunnel; sleep 1; mkdir -p /xcatpost; cd /xcatpost; wget -l inf -N -r --waitretry=10 --random-wait --retry-connrefused -t 0 -T 60 ftp://$ip/install/postscripts; mv $ip/install/postscripts/* .; chmod +x /xcatpost/*; /xcatpost/getpostscript.awk | sed -e 's/<[^>]*>//g'|egrep -v '^ *$'|sed -e 's/^ *//' > /tmp/mypostscript; chmod +x /tmp/mypostscript"; if (&runcmd($getcmd) != 0) { print $::LOG_FILE "$::sdate xcatdsklspost: Could not get xcatpost.tar.gz.\n"; return 1; Found error in /var/lib/xcat/postscripts/xcatdsklspost: $ grep -A5 -B5 /tmp/ /var/lib/xcat/postscripts/xcatdsklspost max_retries=5 retry=0 rc=1 while [ 0 -eq 0 ]; do wget -l inf -nH -N -r --waitretry=10 --random-wait -T 60 ftp://$server/postscripts -P /xcatpost --cut-dirs=1 2> /tmp/wget.log rc=$? if [ $rc -eq 0 ]; then return 0; fi -- if [ ! -d /xcatpost ]; then mkdir -p /xcatpost; fi if [ ! -d /tmp/postage ]; then mkdir -p /tmp/postage fi rm -R -f /xcatpost/* rm -R -f /tmp/postage/* #here we get all the postscripts. Please do not change this behaviour because some scripts depend on others cd /tmp/postage if [ "$MODE" == "4" ]; then # for statelite mode # We have written the xCATSERVER info into the kernel command line!! for i in `cat /proc/cmdline`; do -- export XCATSERVER USEOPENSSLFORXCAT=1 #Though this is the only method going forward, flag to allow backward compatibility with 2.2 generated netboot images export USEOPENSSLFORXCAT fi /xcatpost/getpostscript.awk | sed -e 's/<[^>]*>//g'|egrep -v '^ *$'|sed -e 's/^ *//' > /tmp/mypostscript; MYCONT=`grep MASTER /tmp/mypostscript` #echo "MYCONT=$MYCONT" #if getpostscript.awk fails, the postscript will fall into infinit loop #so one retry_number is added to avoid sunc a condition MAX_RETRIES=10 RETRY=0 -- let SLI=$RANDOM%10 let SLI=10+$SLI sleep $SLI /xcatpost/getpostscript.awk | sed -e 's/<[^>]*>//g'|egrep -v '^ *$'|sed -e 's/^ *//' > /tmp/mypostscript; MYCONT=`grep MASTER /tmp/mypostscript` if [ ! -z "$MYCONT" ]; then break; fi done #save the MASTER into the xcatinfo file for node deployment case, #for updatenode case, only save it when -M is specified if [ $NODE_DEPLOYMENT -eq 1 ] || [ "$MODE" == "4" ]; then new_ms=`grep '^MASTER' /tmp/mypostscript |cut -d= -f2` fi if [ -n "$new_ms" ]; then if [ ! -f /opt/xcat/xcatinfo ]; then mkdir -p /opt/xcat touch /opt/xcat/xcatinfo -- # when called by the updatenode command #modify the UPDATENODE flag to 1 if [ "$MODE" == "1" ] || [ "$MODE" == "2" ]; then TMP=`sed -e 's/UPDATENODE=0/UPDATENODE=1/g' /tmp/mypostscript`; echo "$TMP" > /tmp/mypostscript; fi if [ "$MODE" == "5" ]; then TMP=`sed -e 's/UPDATENODE=0/UPDATENODE=1\nUPDATESECURITY=1\nexport UPDATESECURITY/g' /tmp/mypostscript`; echo "$TMP" > /tmp/mypostscript; fi # postscript name is specified with the updatenode if [ "XX$POSTSCRIPTS" != "XX" ]; then #remove all the postbootscripts TMP=`sed "/postbootscripts-start-here/,/postbootscripts-end-here/ d" /tmp/mypostscript` echo "$TMP" > /tmp/mypostscript #remove all the postscripts TMP=`sed "/postscripts-start-here/,/postscripts-end-here/ d" /tmp/mypostscript` echo "$TMP" > /tmp/mypostscript echo "# postscripts-start-here\n" >> /tmp/mypostscript #add requested postscripts in echo "$POSTSCRIPTS" | tr "," "\n" >> /tmp/mypostscript echo "# postscripts-end-here\n" >> /tmp/mypostscript fi #ADDSITEYUM is set by post.rh and post.rh.iscsi for full installtion #if [[ "$ADDSITEYUM" = "1" ]]; then # TMP=`sed "/postscripts-start-here/ a addsiteyum" /tmp/mypostscript` # echo "$TMP" > /tmp/mypostscript #fi #MYCONT=`cat /tmp/mypostscript` #echo "$MYCONT" # use the run_ps subroutine to run the postscripts TMP=`sed "/postscripts-start-here/,/postscripts-end-here/ s/$.*$/run_ps \1/;s/run_ps\s*#/#/;s/run_ps\s*$//" /tmp/mypostscript` echo " # subroutine used to run postscripts run_ps () { local os= local script="\$1" -- echo \"Postscript \$script does NOT exist.\" | tee -a \$logfile fi } # subroutine end " > /tmp/mypostscript echo "$TMP" >> /tmp/mypostscript TMP=`sed "/postbootscripts-start-here/,/postbootscripts-end-here/ s/$.*$/run_ps \1/;s/run_ps\s*#/#/;s/run_ps\s*$//" /tmp/mypostscript` echo "$TMP" > /tmp/mypostscript if [ $NODE_DEPLOYMENT -eq 1 ] || [ "$MODE" == "4" ]; then #notify the server that we are done with netbooting CNS=`grep NODESTATUS= /tmp/mypostscript |awk -F = '{print $2}'` if [ -z "$CNS" ] || [ "$CNS" != "'0'" -a "$CNS" != "'N'" -a "$CNS" != "'n'" ]; then echo "updateflag.awk \$MASTER 3002 \"installstatus booted\"" >> /tmp/mypostscript fi fi DHCP_TMP=`sed 's/$DHCPINTERFACES=$$.*$$/\1"\2"/' /tmp/mypostscript` echo "$DHCP_TMP" > /tmp/mypostscript chmod +x /tmp/mypostscript if [ -x /tmp/mypostscript ];then /tmp/mypostscript fi #rm -f /tmp/mypostscript #tell user it is done when this is called by updatenode command if [ "$MODE" == "1" ] || [ "$MODE" == "2" ] || [ "$MODE" == "5" ]; then echo "returned from postscript" fi Found error in /var/lib/xcat/postscripts/setupesx: $ grep -A5 -B5 /tmp/ /var/lib/xcat/postscripts/setupesx fi # create a script that will launch the first time ESX does and configure # the network cat >/tmp/esxcfg.sh <>/etc/rc.d/rc.local <|' | sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_dsa_hostkey #check the message is an error or not grep -E '' /tmp/ssh_dsa_hostkey if [ $? -ne 0 ]; then #the message received is the data cat /tmp/ssh_dsa_hostkey | grep -E -v '||' >$SSHDIR/ssh_host_dsa_key logger -t xCAT ssh_dsa_hostkey MYCONT=`cat $SSHDIR/ssh_host_dsa_key` while [ -z "$MYCONT" ]; do let SLI=$RANDOM%10 let SLI=SLI+10 -- if ! grep "PRIVATE KEY" $SSHDIR/ssh_host_dsa_key > /dev/null 2>&1 ; then rm $SSHDIR/ssh_host_dsa_key fi else #the message received is an error, so parse it ERR_MSG=`sed -n 's%.*$.*$.*%\1%p' /tmp/ssh_dsa_hostkey` logger -t xCAT Error: $ERR_MSG fi rm /tmp/ssh_dsa_hostkey getcredentials.awk ssh_rsa_hostkey | grep -E -v '|' | sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_rsa_hostkey #check whether the message is an error or not grep -E '' /tmp/ssh_rsa_hostkey if [ $? -ne 0 ]; then #the message received is the data we request cat /tmp/ssh_rsa_hostkey | grep -E -v '||' >$SSHDIR/ssh_host_rsa_key logger -t xCAT ssh_rsa_hostkey MYCONT=`cat $SSHDIR/ssh_host_rsa_key` while [ -z "$MYCONT" ]; do let SLI=$RANDOM%10 let SLI=SLI+10 -- if ! grep "PRIVATE KEY" $SSHDIR/ssh_host_rsa_key > /dev/null 2>&1 ; then rm $SSHDIR/ssh_host_rsa_key fi else #This is an error message ERR_MSG=`sed -n 's%.*$.*$.*%\1%p' /tmp/ssh_rsa_hostkey` logger -t xCAT Error: $ERR_MSG fi rm /tmp/ssh_rsa_hostkey if [ -r /etc/xCATSN ] ; then mkdir -p /etc/xcat/hostkeys cp $SSHDIR/ssh* /etc/xcat/hostkeys/. fi -- mkdir -p /root/.ssh/ sleep 1 if [ $ENABLESSHBETWEENNODES = "YES" ]; then getcredentials.awk ssh_root_key | grep -E -v '|'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /tmp/ssh_root_key #check whether the message is an error or not grep -E '' /tmp/ssh_root_key if [ $? -ne 0 ]; then #The message contains the data we request cat /tmp/ssh_root_key | grep -E -v '||' > /root/.ssh/id_rsa logger -t xCAT ssh_root_key MYCONT=`cat /root/.ssh/id_rsa` while [ -z "$MYCONT" ]; do let SLI=$RANDOM%10 let SLI=SLI+10 -- getcredentials.awk ssh_root_key | grep -v '<'|sed -e 's/<//' -e 's/&/&/' -e 's/"/"/' -e "s/'/'/" > /root/.ssh/id_rsa MYCONT=`cat /root/.ssh/id_rsa` done else #This is an error message ERR_MSG=`sed -n 's%.*$.*$.*%\1%p' /tmp/ssh_root_key` logger -t xCAT ssh_root_key Error: $ERR_MSG fi rm /tmp/ssh_root_key if ! grep "PRIVATE KEY" /root/.ssh/id_rsa > /dev/null 2>&1 ; then rm /root/.ssh/id_rsa fi if [ -r /root/.ssh/id_rsa ]; then Found error in /var/lib/xcat/postscripts/otherpkgs: $ grep -A5 -B5 /tmp/ /var/lib/xcat/postscripts/otherpkgs if [ "$plain_pkgs" != "" ]; then if [ $mounted -eq 0 ]; then dir_no_ftproot=${OTHERPKGDIR#$INSTALLDIR/} mkdir -p /xcatpost/$dir_no_ftproot rm -f -R /xcatpost/$dir_no_ftproot/* mkdir -p /tmp/postage/ rm -f -R /tmp/postage/* cd /tmp/postage for x in `echo "$plain_pkgs" | tr " " "\n"` do wget -l inf -N -r --waitretry=10 --random-wait --retry-connrefused -t 0 -T 60 ftp://$OTHERPKGDIR/$x 2> /tmp/wget.log done mv $dir_no_ftproot/* /xcatpost/$dir_no_ftproot; rm -rf $NFSSERVER cd /xcatpost/$dir_no_ftproot;