Bug 182998 - sys-process/cronbase insecure permissions because of portage behaviour
Bug#: 182998 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: minor Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: jakub@gentoo.org
Component: Vulnerabilities
URL: 
Summary: sys-process/cronbase insecure permissions because of portage behaviour
Keywords:  
Status Whiteboard: A4? [noglsa]
Opened: 2007-06-23 18:30 0000
Description:   Opened: 2007-06-23 18:30 0000 
OK, this is how it *should* look like per sys-process/cronbase ebuild:

drwxr-x--- 2 root root 216 2007-06-13 17:11 /etc/cron.daily
drwxr-x--- 2 root root  72 2006-03-08 22:05 /etc/cron.hourly
drwxr-x--- 2 root root 136 2007-06-22 22:51 /etc/cron.monthly
drwxr-x--- 2 root root  72 2007-01-06 13:01 /etc/cron.weekly
drwxr-x--- 4 root cron 120 2006-03-08 22:06 /var/spool/cron
drwxr-x--- 2 root root 200 2007-06-23 20:10 /var/spool/cron/lastrun

Except that portage does *not* change actual directory permissions if the
directory already exists (see Bug 141619). A quick poll on #gentoo-dev shows
that almost *noone* has the permissions right, most usually they are 0755
root:root, a couple of cases of /var/spool/cron owned by cron user, etc. etc.
Also see Bug 182983.

Suggested solution: revbump sys-process/cronbase and force chown/chmod in
pkg_postinst, which works around portage behaviour.

------- Comment #1 From Pierre-Yves Rofes 2007-07-15 15:31:03 0000 ------- 
cron, what's the status here? please advise.

------- Comment #2 From Raphael Marichez 2007-08-29 21:04:53 0000 ------- 
cronbase ebuild activity is rather low. I did the last revbump of vixie-cron
and i can take care of cronbase too. (then i should join the cron herd)

Just ping me again if noone of the cron herd wakes up.

------- Comment #3 From Pierre-Yves Rofes 2007-09-22 18:53:02 0000 ------- 
(In reply to comment #2)
> cronbase ebuild activity is rather low. I did the last revbump of vixie-cron
> and i can take care of cronbase too. (then i should join the cron herd)
> 
> Just ping me again if noone of the cron herd wakes up.
> 

*ping* :)

------- Comment #4 From Raphael Marichez 2007-09-26 21:37:37 0000 ------- 
Hi arches,

cronbase-0.3.2-r1 commited to the tree.

After having emerged it, your system should be as described in comment #0.

Please test, and mark stable if appropriate, thanks.

------- Comment #5 From Dawid Węgliński 2007-09-26 23:10:59 0000 ------- 
(In reply to comment #4)
> After having emerged it, your system should be as described in comment #0.

*Mainly* that's happened. The only difference is uid/gid bit:
drwxr-s--- 2 root cron 4096 wrz 27 00:58 /var/spool/cron/lastrun

------- Comment #6 From Ferris McCormick 2007-09-26 23:26:54 0000 ------- 
Sparc done.  It sets ownership/permissions the way bug says it's supposed to.

------- Comment #7 From Joshua Kinard 2007-09-27 01:43:58 0000 ------- 
mips stable.

------- Comment #8 From Jeroen Roovers 2007-09-27 01:44:29 0000 ------- 
Stable for HPPA.

------- Comment #9 From Christian Faulhammer 2007-09-27 07:56:10 0000 ------- 
x86 stable

------- Comment #10 From Raúl Porcel 2007-09-27 11:08:04 0000 ------- 
alpha/ia64 stable

------- Comment #11 From Brent Baude 2007-09-27 16:33:52 0000 ------- 
ppc64 stable

------- Comment #12 From Wulf Krueger (RETIRED) 2007-09-28 17:42:44 0000 ------- 
Marked stable on amd64.

------- Comment #13 From Tobias Scherbaum 2007-09-28 19:18:27 0000 ------- 
ppc stable

------- Comment #14 From Robert Buchholz 2007-09-28 23:01:15 0000 ------- 
If this stays at A4, it needs a vote.

------- Comment #15 From Pierre-Yves Rofes 2007-09-29 14:12:54 0000 ------- 
Hmm, this is local, minor impact, so I vote NO.

------- Comment #16 From Raphael Marichez 2007-10-02 21:22:11 0000 ------- 
only information disclosure. No big impact. No and closing. Feel free to reopen
if you disagree