Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562470 - app-backup/burp-? - denied untrusted exec (due to file in group-writable directory) of /etc/burp/timer_script by /etc/burp/timer_script[burp:19803]
Summary: app-backup/burp-? - denied untrusted exec (due to file in group-writable dire...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Amadeusz Żołnowski (RETIRED)
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-07 12:20 UTC by Marcin Mirosław
Modified: 2016-07-03 14:26 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Mirosław 2015-10-07 12:20:50 UTC
Permission to /etc/burp are to wide, now are set to 775 but should be 755 (or even better, 700:) ).

On hardened kernel I'm getting:
[śro paź  7 13:46:43 2015] grsec: From 192.168.2.3: denied untrusted exec (due to file in group-writable directory) of /etc/burp/timer_script by /etc/burp/timer_script[burp:19803] uid/euid:106/106 gid/egid:111/111, parent /usr/sbin/burp[burp:19802] uid/euid:106/106 gid/egid:111/111


Reproducible: Always
Comment 1 Marcin Mirosław 2016-06-28 09:00:56 UTC
Is there something I can do to help fix the bug?
Comment 2 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-06-28 21:04:17 UTC
Burp needs write access to this directory at least first time. The solution would be to move these scripts into different directory, e.g. somewhere in /usr/share or /usr/lib.
Comment 3 Marcin Mirosław 2016-06-30 07:34:37 UTC
The easiest way is set more narrow permissons of directory /etc/burp. Moving scripts to /usr/share is also good idea but I think it's something which can be done in burp-2.x. Didi you consider to add masked ebuild for burp 2.X to the tree?
With protocol=1 should be faster than burp-1.x (as we saw recently, with protocol=2 we can have data corruption in backup).
Comment 4 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-06-30 19:14:50 UTC
Burp needs this to be writeable. Easier would be to move these scripts out of /etc, actually.
Comment 5 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-06-30 19:19:42 UTC
Wrt burp-2.0 - no until upstream consider it stable. There's no point having a masked ebuild in the tree.
Comment 6 Amadeusz Żołnowski (RETIRED) gentoo-dev 2016-07-02 20:52:24 UTC
Fixed in burp-1.4.40-r3. I have moved scripts out of /etc. Permissions remain.
Comment 7 Marcin Mirosław 2016-07-03 14:26:53 UTC
Thank you.