Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 607430

Summary: Gentoo: order of installed packages may result in vary directories permissions, leading to crontab not requiring cron group membership as example.
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: AuditingAssignee: Gentoo Security Audit Team <security-audit>
Status: RESOLVED DUPLICATE    
Severity: normal CC: dev-portage, nobrowser, slashbeast
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2017/01/28/3
See Also: https://bugs.gentoo.org/show_bug.cgi?id=396153
https://bugs.gentoo.org/show_bug.cgi?id=141619
https://bugs.gentoo.org/show_bug.cgi?id=58611
https://bugs.gentoo.org/show_bug.cgi?id=654138
Whiteboard:
Package list:
Runtime testing required: ---

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-01-27 22:15:07 UTC
The following message was posted on oss-sec ML:"""
Hi,

The packages in Gentoo often utilizes Portage's functions like keepdir to create a directories, with specified permissions. One of the examples is 'cronbase', which the only purpose is to setup /etc/cron.{hourly,daily,weekly,monthly} and /var/spool/cron.

The /var/spool/cron is meant to have root:cron 750, which makes the crontab usable only for the users that are members of cron group.

As for the /etc/cron.{hourly,daily,weekly,monthly} they're meant to be root:root 750.

If, for instance, a mlocate package will be installed before cronbase, due to installing /etc/cron.daily/mlocate, the /etc/cron.daily will end up with 755 permissions. After than when crontab package is installed, due to usage of portage's keepdir function, the directory in temporary directory will be installed as root:cron 750, but during the merge process to rootfs no directory permissions will be merged, leaving the /etc/cron.daily as 755.

On one system after installing set of packages, the /var/spool/cron ended up being cron:root 755, which results in possibility for any local user to actually create the crontabs (including system users like nginx, mysql, and so on).

The way a (directory) ownership and permissions are handled in Gentoo seems to be flawed, it's not clear to me whatever Portage should provided a soluton to that, or the ebuilds authors should make sure to always depends, in case of touching cronbase directories, on the cronbase package, to ensure that it's installed prior to installing them. Nonetheless I do believe this issue is worth CVE.

-- Piotr. 
"""

Is there any comment from the portage team on this?
Comment 1 Zac Medico gentoo-dev 2017-01-27 22:32:11 UTC
(In reply to Kristian Fiskerstrand from comment #0)
> The way a (directory) ownership and permissions are handled in Gentoo seems
> to be flawed,

Yeah it's bug 141619, and there's a proposal for resolving conflicts in bug 396153.

> it's not clear to me whatever Portage should provided a
> soluton to that, or the ebuilds authors should make sure to always depends,
> in case of touching cronbase directories, on the cronbase package, to ensure
> that it's installed prior to installing them. Nonetheless I do believe this
> issue is worth CVE.
> 
> -- Piotr. 
> """
> 
> Is there any comment from the portage team on this?

An alternative to the dependency-based approach would be for cronbase to force the permissions in pkg_postinst.
Comment 2 Piotr Karbowski archtester Gentoo Infrastructure gentoo-dev Security 2017-01-27 23:08:17 UTC
In regard to cron directories, yes. But I suspect they may be some other packages out there that suffer from the same thing.

Did you ever considered a mechanism, similar to the dpkg-statoverrride, that would allow packages to register particular permissions for files/directories to enforce permissions, so even if a package merges with, for example, 755, portage would force it to 750?

I think this is something that could be done even on bashrc level with post_pkg_postinst hook to adjust the on-rootfs permissions as well as do the same on pre_pkg_merge to adjust them in $D, so in case that they don't exist on rootfs, they would be merged with the globally enforced permissions.
Comment 3 Mike Gilbert gentoo-dev 2017-01-28 05:14:38 UTC
This is a duplicate of bug 607426.
Comment 4 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-01-28 12:25:48 UTC

*** This bug has been marked as a duplicate of bug 607426 ***