oss-sec mailing list archives
Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.
From: Kristian Fiskerstrand <k_f () gentoo org>
Date: Fri, 27 Jan 2017 23:49:09 +0100
On 01/27/2017 10:59 PM, KARBOWSKI Piotr wrote:
Hi,
Hi Piotr,
The packages in Gentoo often utilizes Portage's functions like keepdir to create a directories, with specified permissions. One of the examples is 'cronbase', which the only purpose is to setup /etc/cron.{hourly,daily,weekly,monthly} and /var/spool/cron. The /var/spool/cron is meant to have root:cron 750, which makes the crontab usable only for the users that are members of cron group. As for the /etc/cron.{hourly,daily,weekly,monthly} they're meant to be root:root 750. If, for instance, a mlocate package will be installed before cronbase, due to installing /etc/cron.daily/mlocate, the /etc/cron.daily will end up with 755 permissions. After than when crontab package is installed, due to usage of portage's keepdir function, the directory in temporary directory will be installed as root:cron 750, but during the merge process to rootfs no directory permissions will be merged, leaving the /etc/cron.daily as 755. On one system after installing set of packages, the /var/spool/cron ended up being cron:root 755, which results in possibility for any local user to actually create the crontabs (including system users like nginx, mysql, and so on). The way a (directory) ownership and permissions are handled in Gentoo seems to be flawed, it's not clear to me whatever Portage should provided a soluton to that, or the ebuilds authors should make sure to always depends, in case of touching cronbase directories, on the cronbase package, to ensure that it's installed prior to installing them. Nonetheless I do believe this issue is worth CVE. -- Piotr.
Tracking this in https://bugs.gentoo.org/show_bug.cgi?id=607430 please keep in mind that this is already discussed in (at least) https://bugs.gentoo.org/show_bug.cgi?id=396153 https://bugs.gentoo.org/show_bug.cgi?id=141619 https://bugs.gentoo.org/show_bug.cgi?id=58611 You might want to work with the portage team on a solution -- Kristian Fiskerstrand OpenPGP keyblock reachable at hkp://pool.sks-keyservers.net fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. KARBOWSKI Piotr (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. Kristian Fiskerstrand (Jan 28)
- Re: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. cve-assign (Jan 28)