I have just committed =sys-process/fcron-3.0.2-r1 that should fix a local DoS issue that exists with older versions. Previous versions used the user + group 'cron' provided by cronbase. The fcrontabs directory /var/spool/fcrontabs was cron:cron and 0770 and every user that should be able to use fcron had to be member of the group 'cron', thus being able to remove *all* crontabs stored in the fcrontabs directory /var/spool/fcrontabs. The changes in 3.0.2-r1 introduce a new user and group 'fcron' that are now used for least-privilege operation of the fcron tools instead of cron:cron, but don't require the users that should be able to use fcron to be members of the group 'cron' or 'fcron' (the only way to restrict access to the fcron* commands now is by adding users to the files /etc/fcron/fcron.{allow,deny}). Users that are still in members of the group 'cron' cannot do anything bad after the upgrade. Version 3.0.2 itself is in Portage since 2007-01-18, so considering marking it stable might be reasonable. UPDATE: I have just committed some small changes to 3.0.2-r1, so please everyone be sure to get the latest version (1.2). Thanks!
Disclosing this issue with Wolfram's aggrement CCing arches. Arches, please test and mark stable sys-process/fcron-3.0.2-r1 if appropriate, thanks.
x86 stable
dear arches, please STOP stabilizing as I have missed something in the upgrade path. the permissions of /etc/fcron and /etc/fcrontab don't get fixed, I have to add another chown+chmod combo to the build. @x86, what do we do? 3.0.2-r1 is already marked stable on your arch.
Talked to armin76 on IRC -- I will just commit the fixed ebuild.
Committed fixed fcron-3.0.2-r1.ebuild (revision 1.4).
Hmmm it lacks a virtual/mta dep and wants /usr/sbin/sendmail...
Also x86 lost it's stable keyword in the fix0r or whatnot...
(In reply to comment #6) > Hmmm it lacks a virtual/mta dep and wants /usr/sbin/sendmail... Added virtual/mta to DEPEND. Thanks! (In reply to comment #7) > Also x86 lost it's stable keyword in the fix0r or whatnot... ARGH! :( I thought I had taken care of it... sorry :( Anyway, armin76 fixed it... thanks!
sparc stable then, thanks!
Hey, now, we really want to leave...x86 gone again from this bug.
Stable for HPPA.
ppc stable
amd64 stable
*** Bug 131381 has been marked as a duplicate of this bug. ***
security, please vote - I vote no GLSA, local DoS, low impact.
I vote no, this seems low impact.
Two NO votes -> Closing with NO GLSA. Feel free to reopen if you disagree.
