1 files changed, 33 insertions, 0 deletions

diff --git a/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch b/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch
new file mode 100644
index 00000000000..8f3d55db5de
--- /dev/null
+++ b/main/openrc/0014-checkpath-replace-mkdir-with-mkdirat.patch
@@ -0,0 +1,33 @@
+From 00ea2166081856774f24f7243126f701c7fe6db9 Mon Sep 17 00:00:00 2001
+From: Michael Orlitzky <michael@orlitzky.com>
+Date: Wed, 25 Nov 2020 07:15:50 -0500
+Subject: [PATCH] src/rc/checkpath.c: replace mkdir() with mkdirat().
+
+The do_check() function recently gained some defenses against symlink
+replacement attacks that involve the use of *at functions in place of
+their vanilla counterparts; openat() instead of open(), for example.
+One opportunity to replace mkdir() with mkdirat() was missed, however,
+and this commit replaces it.
+
+This fixes #386.
+---
+ src/rc/checkpath.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/rc/checkpath.c b/src/rc/checkpath.c
+index 6422446a1..1e570de92 100644
+--- a/src/rc/checkpath.c
++++ b/src/rc/checkpath.c
+@@ -197,10 +197,10 @@ static int do_check(char *path, uid_t uid, gid_t gid, mode_t mode,
+ 				mode = S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH;
+ 			u = umask(0);
+ 			/* We do not recursively create parents */
+-			r = mkdir(path, mode);
++			r = mkdirat(dirfd, name, mode);
+ 			umask(u);
+ 			if (r == -1 && errno != EEXIST) {
+-				eerror("%s: mkdir: %s", applet,
++				eerror("%s: mkdirat: %s", applet,
+ 				    strerror (errno));
+ 				return -1;
+ 			}