Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 164875
Alias:
Product:
Component:
Status: CLOSED
Resolution: DUPLICATE of bug 156183
Assigned To: Gentoo Linux bug wranglers <bug-wranglers@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Arthur Britto <ahbritto@iat.com>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 164875 depends on: Show dependency tree
Bug 164875 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.




View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-02-01 17:12 0000 
By default, sys-apps/pciutils installs an entry in cron.monthly called
update-pciutils.  Monthly this initiates outside network communication and
e-mails the output of the data transfer to root.

This is wrong:
1. Any communication from a host should be approved by the system
administrator.
2. Any communication done as root should be approved by the system
administrator.
3. This does not scale well.  Every host that has this script will on the same
day in a synchronized fashion (at 5:30 am localtime) attempt to download:
http://pciids.sourceforge.net/v2.2/pci.ids
4. For every host this package is installed on a monthly message is sent to the
system administrator.
5. This can cause security investigation to be initiated by the system
administrator.

1 and 2 are fundamental security principles.
3 is broken and an unintentional DOS attack on http://pciids.sourceforge.net
4 is annoying
5 may detract from resources need to handle real security events, is panic
inducing and annoying, and shows badly on gentoo.

This whole thing is very scary. I received a message from root informing me of
the output of a data transfer operation run by cron.  Of course, my first
thought is my system may have been compromised, leading to a security
investigation.   This is the type of thing administrators should not have to
deal with by default.


Reproducible: Always

Steps to Reproduce:
1. emerge sys-apps/pciutils
2. wait for /etc/cron.monthly/* to run.
Actual Results:  
By defautlt /usr/sbin/update-pciutils is run monthly and data transfer output
is sent to root.

Expected Results:  
No unapproved data transfer.

Suggestions:
(1) Minimally add a use flag, that is disable by default, for this monthly
update.
(2) Randomize the monthly time of the download.
(3) Only after (1) and (2), silence the output of this script unless there are
problems.


I use sys-process/vixie-cron-4.1-r9, other cron packages may run cron.monthly
on a different schedule.

------- Comment #1 From Jakub Moc (RETIRED) 2007-02-01 17:15:13 0000 ------- 
Not security.

------- Comment #2 From Jakub Moc (RETIRED) 2007-02-01 17:16:37 0000 ------- 

*** This bug has been marked as a duplicate of bug 156183 ***

------- Comment #3 From Jasmin Buchert 2007-02-02 07:47:03 0000 ------- 
"Not security." sounds like a very quick conclusion.
It should be optional and at least use randomized cron times. But even random
cron times could produce significantly more unnecessary traffic.
Not to mention that it's very ugly to get mail from cron on some kind of
transfer without mentioning what is being transfered.

------- Comment #4 From Jakub Moc (RETIRED) 2007-02-02 09:31:13 0000 ------- 
I fail to see how is "unnecessary traffic" a security issue or how randomized
cronjobs improve security in any way.

Closing, read the other bug and delete the cronjob if you dislike it.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug