| |
@@ -301,7 +301,16 @@
|
| |
# make temp mount points
|
| |
mkdir /tmp/{boot,root} &> /dev/null
|
| |
mount "$BOOTPART" /tmp/boot &> /dev/null
|
| |
+ if [ $? -ne 0 ]; then
|
| |
+ echo "Error: mount $BOOTPART /tmp/boot failed"
|
| |
+ exit 1
|
| |
+ fi
|
| |
+
|
| |
mount "$ROOTPART" /tmp/root &> /dev/null
|
| |
+ if [ $? -ne 0 ]; then
|
| |
+ echo "Error: mount $ROOTPART /tmp/root failed"
|
| |
+ exit 1
|
| |
+ fi
|
| |
|
| |
# turn off selinux
|
| |
if [ "$SELINUX" != "" ] ; then
|
| |
Since /tmp is world writable, and we do not verify the return code
of mount (or mkdir), a local attacker could precreate /tmp/boot
and /tmp/root directories in a way that mount fail, and later
add symlink to fool the script. For example /tmp/root/etc/ pointing to
/etc , which in turn will make this sed call
sed -i 's/root:x:/root::/' /tmp/root/etc/passwd
modify the real /etc/password file (since the tool is running
as root, SELinux policies are most likely bypasswed, and the symlink
protection in /tmp wouldn't be applicable if the symlink is directory).