Summary: | Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example. | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kristian Fiskerstrand (RETIRED) <k_f> |
Component: | Auditing | Assignee: | Gentoo Security Audit Team <security-audit> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | dev-portage, nobrowser, slashbeast |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2017/01/28/3 | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=396153 https://bugs.gentoo.org/show_bug.cgi?id=141619 https://bugs.gentoo.org/show_bug.cgi?id=58611 https://bugs.gentoo.org/show_bug.cgi?id=654138 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Kristian Fiskerstrand (RETIRED)
![]() (In reply to Kristian Fiskerstrand from comment #0) > The way a (directory) ownership and permissions are handled in Gentoo seems > to be flawed, Yeah it's bug 141619, and there's a proposal for resolving conflicts in bug 396153. > it's not clear to me whatever Portage should provided a > soluton to that, or the ebuilds authors should make sure to always depends, > in case of touching cronbase directories, on the cronbase package, to ensure > that it's installed prior to installing them. Nonetheless I do believe this > issue is worth CVE. > > -- Piotr. > """ > > Is there any comment from the portage team on this? An alternative to the dependency-based approach would be for cronbase to force the permissions in pkg_postinst. In regard to cron directories, yes. But I suspect they may be some other packages out there that suffer from the same thing. Did you ever considered a mechanism, similar to the dpkg-statoverrride, that would allow packages to register particular permissions for files/directories to enforce permissions, so even if a package merges with, for example, 755, portage would force it to 750? I think this is something that could be done even on bashrc level with post_pkg_postinst hook to adjust the on-rootfs permissions as well as do the same on pre_pkg_merge to adjust them in $D, so in case that they don't exist on rootfs, they would be merged with the globally enforced permissions. This is a duplicate of bug 607426. *** This bug has been marked as a duplicate of bug 607426 *** |