Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 27 Jan 2017 23:49:09 +0100
From: Kristian Fiskerstrand <k_f@...too.org>
To: KARBOWSKI Piotr <piotr.karbowski@...il.com>,
 oss-security@...ts.openwall.com
Cc: security-audit@...too.org
Subject: Re: Gentoo: order of installed packages may result in vary
 directories permissions, leading to crontab not requiring cron group
 membership as example.

On 01/27/2017 10:59 PM, KARBOWSKI Piotr wrote:
> Hi,
> 

Hi Piotr,

> The packages in Gentoo often utilizes Portage's functions like keepdir
> to create a directories, with specified permissions. One of the examples
> is 'cronbase', which the only purpose is to setup
> /etc/cron.{hourly,daily,weekly,monthly} and /var/spool/cron.
> 
> The /var/spool/cron is meant to have root:cron 750, which makes the
> crontab usable only for the users that are members of cron group.
> 
> As for the /etc/cron.{hourly,daily,weekly,monthly} they're meant to be
> root:root 750.
> 
> If, for instance, a mlocate package will be installed before cronbase,
> due to installing /etc/cron.daily/mlocate, the /etc/cron.daily will end
> up with 755 permissions. After than when crontab package is installed,
> due to usage of portage's keepdir function, the directory in temporary
> directory will be installed as root:cron 750, but during the merge
> process to rootfs no directory permissions will be merged, leaving the
> /etc/cron.daily as 755.
> 
> On one system after installing set of packages, the /var/spool/cron
> ended up being cron:root 755, which results in possibility for any local
> user to actually create the crontabs (including system users like nginx,
> mysql, and so on).
> 
> The way a (directory) ownership and permissions are handled in Gentoo
> seems to be flawed, it's not clear to me whatever Portage should
> provided a soluton to that, or the ebuilds authors should make sure to
> always depends, in case of touching cronbase directories, on the
> cronbase package, to ensure that it's installed prior to installing
> them. Nonetheless I do believe this issue is worth CVE.
> 
> -- Piotr.

Tracking this in https://bugs.gentoo.org/show_bug.cgi?id=607430

please keep in mind that this is already discussed in (at least)
https://bugs.gentoo.org/show_bug.cgi?id=396153
https://bugs.gentoo.org/show_bug.cgi?id=141619
https://bugs.gentoo.org/show_bug.cgi?id=58611

You might want to work with the portage team on a solution
-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3



Download attachment "signature.asc" of type "application/pgp-signature" (489 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ