oss-sec mailing list archives

Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.

From: Kristian Fiskerstrand <k_f () gentoo org>
Date: Fri, 27 Jan 2017 23:49:09 +0100

On 01/27/2017 10:59 PM, KARBOWSKI Piotr wrote:

Hi,


Hi Piotr,

The packages in Gentoo often utilizes Portage's functions like keepdir
to create a directories, with specified permissions. One of the examples
is 'cronbase', which the only purpose is to setup
/etc/cron.{hourly,daily,weekly,monthly} and /var/spool/cron.

The /var/spool/cron is meant to have root:cron 750, which makes the
crontab usable only for the users that are members of cron group.

As for the /etc/cron.{hourly,daily,weekly,monthly} they're meant to be
root:root 750.

If, for instance, a mlocate package will be installed before cronbase,
due to installing /etc/cron.daily/mlocate, the /etc/cron.daily will end
up with 755 permissions. After than when crontab package is installed,
due to usage of portage's keepdir function, the directory in temporary
directory will be installed as root:cron 750, but during the merge
process to rootfs no directory permissions will be merged, leaving the
/etc/cron.daily as 755.

On one system after installing set of packages, the /var/spool/cron
ended up being cron:root 755, which results in possibility for any local
user to actually create the crontabs (including system users like nginx,
mysql, and so on).

The way a (directory) ownership and permissions are handled in Gentoo
seems to be flawed, it's not clear to me whatever Portage should
provided a soluton to that, or the ebuilds authors should make sure to
always depends, in case of touching cronbase directories, on the
cronbase package, to ensure that it's installed prior to installing
them. Nonetheless I do believe this issue is worth CVE.

-- Piotr.


Tracking this in https://bugs.gentoo.org/show_bug.cgi?id=607430

please keep in mind that this is already discussed in (at least)
https://bugs.gentoo.org/show_bug.cgi?id=396153
https://bugs.gentoo.org/show_bug.cgi?id=141619
https://bugs.gentoo.org/show_bug.cgi?id=58611

You might want to work with the portage team on a solution
-- 
Kristian Fiskerstrand
OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. KARBOWSKI Piotr (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. Kristian Fiskerstrand (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. cve-assign (Jan 28)