25931 – bad directory permissions in acroread 5.07

Bug 25931 - bad directory permissions in acroread 5.07

Summary: bad directory permissions in acroread 5.07

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All Linux

Importance:	High normal (vote)
Assignee:	Mamoru KOMACHI (RETIRED)

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-08-04 23:02 UTC by petre rodan (RETIRED)
Modified:	2003-08-11 10:23 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description petre rodan (RETIRED) gentoo-dev

2003-08-04 23:02:09 UTC

some of the installed dirs containing binaries (and libraries) are 775.
on some systems that use grsecurity with the following flags enabled:

CONFIG_GRKERNSEC_TPE
CONFIG_GRKERNSEC_TPE_ALL

the execution of the binaries will be stopped by the system.
for instance:

Aug  4 20:37:58 [kernel] grsec: denied untrusted exec of
/opt/Acrobat5/Browsers/intellinux/nppdf.so by (mozilla-bin:27472) UID(1000)
EUID(1000), parent (wmaker:26706) UID(1000) EUID(1000)

quick solution:

find /opt/Acrobat5 -type d -exec bash -c 'chmod 755 {}' \;



Reproducible: Always
Steps to Reproduce:
0. use grsecurity with CONFIG_GRKERNSEC_TPE{,_ALL}=y
1. rsync
2. emerge acroread
3. acroread
4. tail /var/log/everything/current
5. find /opt/Acrobat5 -type d -exec bash -c 'chmod 755 {}' \;
6. acoread # now it works

Actual Results:  
Aug  4 20:37:58 [kernel] grsec: denied untrusted exec of
/opt/Acrobat5/Browsers/intellinux/nppdf.so by (mozilla-bin:27472) UID(1000)
EUID(1000), parent (wmaker:26706) UID(1000) EUID(1000)

Expected Results:  
emerge acroread should remove the group writable atribute (755).

Portage 2.0.48-r5 (default-x86-1.4, gcc-3.2.3, glibc-2.3.2-r1)
=================================================================
System uname: 2.4.21 i686 Intel(R) Pentium(R) 4 CPU 1.80GHz
GENTOO_MIRRORS="ftp://193.230.245.6/pub/mirrors/gentoo"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/confi
g /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/gconf /etc/env.d"
PORTDIR="/usr/portage"
DISTDIR="/usr/portage/distfiles"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/public/tmp"
PORTDIR_OVERLAY=""
USE="x86 oss 3dnow apm avi crypt cups encode foomaticdb gif jpeg libg++ mad mikm
od mpeg ncurses nls pdflib png quicktime truetype xml2 xmms xv zlib gdbm berkdb 
slang readline tetex svga tcltk java mysql sdl gpm tcpd pam libwww perl python e
sd imlib oggvorbis mozilla cdr X gtk -gnome -alsa -kde -qt -arts opengl ssl mmx 
-motif -spell -emacs"
COMPILER="gcc3"
CHOST="i686-pc-linux-gnu"
CFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer"
CXXFLAGS="-march=i686 -O3 -pipe -fomit-frame-pointer"
ACCEPT_KEYWORDS="x86"
MAKEOPTS="-j2"
AUTOCLEAN="yes"
SYNC="rsync://193.230.245.6/gentoo-portage"
FEATURES="sandbox ccache"

Comment 1 Mamoru KOMACHI (RETIRED) gentoo-dev

2003-08-11 10:23:17 UTC

Fixed.  Thanks.