Accepting request 545972 from home:jsegitz:branches:Base:System

- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper permissions and owner. This is racy but prevents some LPE vectors OBS-URL: https://build.opensuse.org/request/show/545972 OBS-URL: https://build.opensuse.org/package/show/Base:System/cronie?expand=0&rev=161
2017-11-27 13:25:16 +00:00 · 2017-11-27 13:25:16 +00:00 · e61cf249e1
commit e61cf249e1
parent 8799c06388
3 changed files with 44 additions and 0 deletions
--- a/cronie.changes
+++ b/cronie.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Mon Nov 27 09:48:27 UTC 2017 - jsegitz@suse.com
+
+- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper
+  permissions and owner. This is racy but prevents some LPE vectors
+
 -------------------------------------------------------------------
 Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com

--- a/22
+++ b/22
@ -34,6 +34,8 @@
 #        bnc#812367 support MAILFROM as cron does
 #     2016-08-08 - tchvatal@suse.com
 #        bnc#983925 run crons even on battery
+#     2017-10-24 - jsegitz@suse.de
+#        bsc#1062722 - harden run-cron to ensure correct directory permissions

 if [ -f /etc/sysconfig/cron ]; then
 	. /etc/sysconfig/cron
@ -99,8 +101,28 @@ mkdir -p $SPOOL
 #set verbose
 ## stage 1,  search directories/scripts to run
 RUN=""
+SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}"
 for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do
    test -d $CRONDIR || continue
+    # this is racy but better than nothing
+    if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G $CRONDIR ]; then
+      echo "wrong owner/group for $CRONDIR, skipping" | logger
+      continue
+    fi
+    ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR)
+    # to have this default to false would be better, but would require a more
+    # complicated logic in the loop 
+    PERMISSIONS_ARE_SECURE=true
+    for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do
+      if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; then
+        PERMISSIONS_ARE_SECURE=false
+      fi
+    done
+    if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then
+      echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting $SECURE_PERMISSIONS. Skipping" | logger
+      continue
+    fi
+
    BASE=${CRONDIR##*/}
    TIME_EXT=${BASE##cron.}
    
--- a/sysconfig.cron
+++ b/sysconfig.cron
@ -74,3 +74,19 @@ DELETE_OLD_CATMAN=yes
 # How long should old preformatted man pages be kept before deletion? (days)
 #
 CATMAN_ATIME=7
+
+## Type:	yesno
+## Default:	yes
+#
+# Force cron.{hourly,daily,weekly,monthly} to be
+# owned by user and group root
+#
+ENFORCE_ROOT_OWNER_GROUP_DIR="yes"
+
+## Type:	integer
+## Default:	755
+#
+# Force cron.{hourly,daily,weekly,monthly} to have
+# at most the listed permissions
+#
+SECURE_DIR_PERMISSIONS="755"