Bug 182998

Summary:	sys-process/cronbase insecure permissions because of portage behaviour
Product:	Gentoo Security	Reporter:	Jakub Moc (RETIRED) <jakub>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	cron-bugs+disabled, falco, pacho
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A4? [noglsa]
Package list:		Runtime testing required:	---

Description Jakub Moc (RETIRED) gentoo-dev

2007-06-23 18:30:48 UTC

OK, this is how it *should* look like per sys-process/cronbase ebuild:

drwxr-x--- 2 root root 216 2007-06-13 17:11 /etc/cron.daily
drwxr-x--- 2 root root  72 2006-03-08 22:05 /etc/cron.hourly
drwxr-x--- 2 root root 136 2007-06-22 22:51 /etc/cron.monthly
drwxr-x--- 2 root root  72 2007-01-06 13:01 /etc/cron.weekly
drwxr-x--- 4 root cron 120 2006-03-08 22:06 /var/spool/cron
drwxr-x--- 2 root root 200 2007-06-23 20:10 /var/spool/cron/lastrun

Except that portage does *not* change actual directory permissions if the directory already exists (see Bug 141619). A quick poll on #gentoo-dev shows that almost *noone* has the permissions right, most usually they are 0755 root:root, a couple of cases of /var/spool/cron owned by cron user, etc. etc. Also see Bug 182983.

Suggested solution: revbump sys-process/cronbase and force chown/chmod in pkg_postinst, which works around portage behaviour.

Comment 1 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-07-15 15:31:03 UTC

cron, what's the status here? please advise.

Comment 2 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-08-29 21:04:53 UTC

cronbase ebuild activity is rather low. I did the last revbump of vixie-cron and i can take care of cronbase too. (then i should join the cron herd)

Just ping me again if noone of the cron herd wakes up.

Comment 3 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-22 18:53:02 UTC

(In reply to comment #2)
> cronbase ebuild activity is rather low. I did the last revbump of vixie-cron
> and i can take care of cronbase too. (then i should join the cron herd)
> 
> Just ping me again if noone of the cron herd wakes up.
> 

*ping* :)

Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-09-26 21:37:37 UTC

Hi arches,

cronbase-0.3.2-r1 commited to the tree.

After having emerged it, your system should be as described in comment #0.

Please test, and mark stable if appropriate, thanks.

Comment 5 Dawid Węgliński (RETIRED) gentoo-dev

2007-09-26 23:10:59 UTC

(In reply to comment #4)
> After having emerged it, your system should be as described in comment #0.

*Mainly* that's happened. The only difference is uid/gid bit:
drwxr-s--- 2 root cron 4096 wrz 27 00:58 /var/spool/cron/lastrun

Comment 6 Ferris McCormick (RETIRED) gentoo-dev

2007-09-26 23:26:54 UTC

Sparc done.  It sets ownership/permissions the way bug says it's supposed to.

Comment 7 Joshua Kinard gentoo-dev

2007-09-27 01:43:58 UTC

mips stable.

Comment 8 Jeroen Roovers (RETIRED) gentoo-dev

2007-09-27 01:44:29 UTC

Stable for HPPA.

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2007-09-27 07:56:10 UTC

x86 stable

Comment 10 Raúl Porcel (RETIRED) gentoo-dev

2007-09-27 11:08:04 UTC

alpha/ia64 stable

Comment 11 Brent Baude (RETIRED) gentoo-dev

2007-09-27 16:33:52 UTC

ppc64 stable

Comment 12 Wulf Krueger (RETIRED) gentoo-dev

2007-09-28 17:42:44 UTC

Marked stable on amd64.

Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev

2007-09-28 19:18:27 UTC

ppc stable

Comment 14 Robert Buchholz (RETIRED) gentoo-dev

2007-09-28 23:01:15 UTC

If this stays at A4, it needs a vote.

Comment 15 Pierre-Yves Rofes (RETIRED) gentoo-dev

2007-09-29 14:12:54 UTC

Hmm, this is local, minor impact, so I vote NO.

Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-10-02 21:22:11 UTC

only information disclosure. No big impact. No and closing. Feel free to reopen if you disagree