182998 2007-06-23 18:30 0000 sys-process/cronbase insecure permissions because of portage behaviour 2008-07-11 11:33:40 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED A4? [noglsa] P2 minor --- 1 jakub@gentoo.org security@gentoo.org cron-bugs@gentoo.org falco@gentoo.org pacho@condmat1.ciencias.uniovi.es jakub@gentoo.org 2007-06-23 18:30:48 0000 OK, this is how it *should* look like per sys-process/cronbase ebuild: drwxr-x--- 2 root root 216 2007-06-13 17:11 /etc/cron.daily drwxr-x--- 2 root root 72 2006-03-08 22:05 /etc/cron.hourly drwxr-x--- 2 root root 136 2007-06-22 22:51 /etc/cron.monthly drwxr-x--- 2 root root 72 2007-01-06 13:01 /etc/cron.weekly drwxr-x--- 4 root cron 120 2006-03-08 22:06 /var/spool/cron drwxr-x--- 2 root root 200 2007-06-23 20:10 /var/spool/cron/lastrun Except that portage does *not* change actual directory permissions if the directory already exists (see Bug 141619). A quick poll on #gentoo-dev shows that almost *noone* has the permissions right, most usually they are 0755 root:root, a couple of cases of /var/spool/cron owned by cron user, etc. etc. Also see Bug 182983. Suggested solution: revbump sys-process/cronbase and force chown/chmod in pkg_postinst, which works around portage behaviour. py@gentoo.org 2007-07-15 15:31:03 0000 cron, what's the status here? please advise. falco@gentoo.org 2007-08-29 21:04:53 0000 cronbase ebuild activity is rather low. I did the last revbump of vixie-cron and i can take care of cronbase too. (then i should join the cron herd) Just ping me again if noone of the cron herd wakes up. py@gentoo.org 2007-09-22 18:53:02 0000 (In reply to comment #2) > cronbase ebuild activity is rather low. I did the last revbump of vixie-cron > and i can take care of cronbase too. (then i should join the cron herd) > > Just ping me again if noone of the cron herd wakes up. > *ping* :) falco@gentoo.org 2007-09-26 21:37:37 0000 Hi arches, cronbase-0.3.2-r1 commited to the tree. After having emerged it, your system should be as described in comment #0. Please test, and mark stable if appropriate, thanks. cla@gentoo.org 2007-09-26 23:10:59 0000 (In reply to comment #4) > After having emerged it, your system should be as described in comment #0. *Mainly* that's happened. The only difference is uid/gid bit: drwxr-s--- 2 root cron 4096 wrz 27 00:58 /var/spool/cron/lastrun fmccor@gentoo.org 2007-09-26 23:26:54 0000 Sparc done. It sets ownership/permissions the way bug says it's supposed to. kumba@gentoo.org 2007-09-27 01:43:58 0000 mips stable. jer@gentoo.org 2007-09-27 01:44:29 0000 Stable for HPPA. fauli@gentoo.org 2007-09-27 07:56:10 0000 x86 stable armin76@gentoo.org 2007-09-27 11:08:04 0000 alpha/ia64 stable ranger@gentoo.org 2007-09-27 16:33:52 0000 ppc64 stable philantrop@gentoo.org 2007-09-28 17:42:44 0000 Marked stable on amd64. dertobi123@gentoo.org 2007-09-28 19:18:27 0000 ppc stable rbu@gentoo.org 2007-09-28 23:01:15 0000 If this stays at A4, it needs a vote. py@gentoo.org 2007-09-29 14:12:54 0000 Hmm, this is local, minor impact, so I vote NO. falco@gentoo.org 2007-10-02 21:22:11 0000 only information disclosure. No big impact. No and closing. Feel free to reopen if you disagree