diff --git a/cronie.changes b/cronie.changes index 63234ef..9ac3126 100644 --- a/cronie.changes +++ b/cronie.changes @@ -1,3 +1,21 @@ +------------------------------------------------------------------- +Mon Nov 27 09:48:27 UTC 2017 - jsegitz@suse.com + +- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper + permissions and owner. This is racy but prevents some LPE vectors + +------------------------------------------------------------------- +Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com + +- Requires smtp_daemon (not just Recommends) as it's needed by + run-crons script [bsc#1064834] + +------------------------------------------------------------------- +Thu Nov 23 13:39:47 UTC 2017 - rbrown@suse.com + +- Replace references to /var/adm/fillup-templates with new + %_fillupdir macro (boo#1069468) + ------------------------------------------------------------------- Mon Aug 21 09:31:32 CEST 2017 - kukuk@suse.de diff --git a/cronie.spec b/cronie.spec index b5c4eaf..615674a 100644 --- a/cronie.spec +++ b/cronie.spec @@ -16,6 +16,11 @@ # +#Compat macro for new _fillupdir macro introduced in Nov 2017 +%if ! %{defined _fillupdir} + %define _fillupdir /var/adm/fillup-templates +%endif + %define cron_configs %{_sysconfdir}/pam.d/crond %{_sysconfdir}/crontab %{_sysconfdir}/cron.deny Name: cronie Version: 1.5.1 @@ -61,7 +66,7 @@ Requires(pre): cron %if 0%{?suse_version} >= 1330 Requires(pre): group(trusted) %endif -Recommends: smtp_daemon +Requires: smtp_daemon Suggests: postfix Conflicts: cron <= 4.1 BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -139,8 +144,8 @@ install -m 644 contrib/anacrontab %{buildroot}%{_sysconfdir}/anacrontab install -c -m755 contrib/0anacron %{buildroot}%{_sysconfdir}/cron.hourly/0anacron mkdir -p %{buildroot}%{_localstatedir}/spool/anacron mv %{buildroot}%{_sbindir}/crond %{buildroot}%{_sbindir}/cron -mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates -cp %{SOURCE9} %{buildroot}%{_localstatedir}/adm/fillup-templates/ +mkdir -p %{buildroot}%{_fillupdir} +cp %{SOURCE9} %{buildroot}%{_fillupdir}/ touch %{buildroot}%{_localstatedir}/spool/anacron/cron.daily touch %{buildroot}%{_localstatedir}/spool/anacron/cron.weekly @@ -206,7 +211,7 @@ exit 0 %{_sbindir}/rccron %{_libexecdir}/cron %{_unitdir}/cron.service -%{_localstatedir}/adm/fillup-templates/sysconfig.cron +%{_fillupdir}/sysconfig.cron %files anacron %defattr(-,root,root,-) diff --git a/run-crons b/run-crons index ca695d0..0692420 100644 --- a/run-crons +++ b/run-crons @@ -34,6 +34,8 @@ # bnc#812367 support MAILFROM as cron does # 2016-08-08 - tchvatal@suse.com # bnc#983925 run crons even on battery +# 2017-10-24 - jsegitz@suse.de +# bsc#1062722 - harden run-cron to ensure correct directory permissions if [ -f /etc/sysconfig/cron ]; then . /etc/sysconfig/cron @@ -99,8 +101,28 @@ mkdir -p $SPOOL #set verbose ## stage 1, search directories/scripts to run RUN="" +SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}" for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do test -d $CRONDIR || continue + # this is racy but better than nothing + if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G $CRONDIR ]; then + echo "wrong owner/group for $CRONDIR, skipping" | logger + continue + fi + ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR) + # to have this default to false would be better, but would require a more + # complicated logic in the loop + PERMISSIONS_ARE_SECURE=true + for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do + if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; then + PERMISSIONS_ARE_SECURE=false + fi + done + if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then + echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting $SECURE_PERMISSIONS. Skipping" | logger + continue + fi + BASE=${CRONDIR##*/} TIME_EXT=${BASE##cron.} diff --git a/sysconfig.cron b/sysconfig.cron index 452fa63..f082436 100644 --- a/sysconfig.cron +++ b/sysconfig.cron @@ -74,3 +74,19 @@ DELETE_OLD_CATMAN=yes # How long should old preformatted man pages be kept before deletion? (days) # CATMAN_ATIME=7 + +## Type: yesno +## Default: yes +# +# Force cron.{hourly,daily,weekly,monthly} to be +# owned by user and group root +# +ENFORCE_ROOT_OWNER_GROUP_DIR="yes" + +## Type: integer +## Default: 755 +# +# Force cron.{hourly,daily,weekly,monthly} to have +# at most the listed permissions +# +SECURE_DIR_PERMISSIONS="755"