From 590cf0e626f6a5e813ec4f3021c028a5e098e27d Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Tue, 21 Sep 2021 20:29:49 +0200
Subject: vrrp: keepalived: T616: enable script security

---
 data/templates/vrrp/keepalived.conf.tmpl | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'data/templates/vrrp/keepalived.conf.tmpl')

diff --git a/data/templates/vrrp/keepalived.conf.tmpl b/data/templates/vrrp/keepalived.conf.tmpl
index 2b53b04af..3696c8395 100644
--- a/data/templates/vrrp/keepalived.conf.tmpl
+++ b/data/templates/vrrp/keepalived.conf.tmpl
@@ -5,6 +5,9 @@
 global_defs {
     dynamic_interfaces
     script_user root
+    # Don't run scripts configured to be run as root if any part of the path
+    # is writable by a non-root user.
+    enable_script_security
     notify_fifo /run/keepalived/keepalived_notify_fifo
     notify_fifo_script /usr/libexec/vyos/system/keepalived-fifo.py
 }
-- 
cgit v1.2.3