From e61cf249e114d30d58c798a38fa7f3d2cbad42a0ed2493f10d19d51b94523fd2 Mon Sep 17 00:00:00 2001 From: Kristyna Streitova Date: Mon, 27 Nov 2017 13:25:16 +0000 Subject: [PATCH] Accepting request 545972 from home:jsegitz:branches:Base:System - Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper permissions and owner. This is racy but prevents some LPE vectors OBS-URL: https://build.opensuse.org/request/show/545972 OBS-URL: https://build.opensuse.org/package/show/Base:System/cronie?expand=0&rev=161 --- cronie.changes | 6 ++++++ run-crons | 22 ++++++++++++++++++++++ sysconfig.cron | 16 ++++++++++++++++ 3 files changed, 44 insertions(+) diff --git a/cronie.changes b/cronie.changes index 639f231..9ac3126 100644 --- a/cronie.changes +++ b/cronie.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Nov 27 09:48:27 UTC 2017 - jsegitz@suse.com + +- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper + permissions and owner. This is racy but prevents some LPE vectors + ------------------------------------------------------------------- Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com diff --git a/run-crons b/run-crons index ca695d0..0692420 100644 --- a/run-crons +++ b/run-crons @@ -34,6 +34,8 @@ # bnc#812367 support MAILFROM as cron does # 2016-08-08 - tchvatal@suse.com # bnc#983925 run crons even on battery +# 2017-10-24 - jsegitz@suse.de +# bsc#1062722 - harden run-cron to ensure correct directory permissions if [ -f /etc/sysconfig/cron ]; then . /etc/sysconfig/cron @@ -99,8 +101,28 @@ mkdir -p $SPOOL #set verbose ## stage 1, search directories/scripts to run RUN="" +SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}" for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do test -d $CRONDIR || continue + # this is racy but better than nothing + if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G $CRONDIR ]; then + echo "wrong owner/group for $CRONDIR, skipping" | logger + continue + fi + ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR) + # to have this default to false would be better, but would require a more + # complicated logic in the loop + PERMISSIONS_ARE_SECURE=true + for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do + if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; then + PERMISSIONS_ARE_SECURE=false + fi + done + if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then + echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting $SECURE_PERMISSIONS. Skipping" | logger + continue + fi + BASE=${CRONDIR##*/} TIME_EXT=${BASE##cron.} diff --git a/sysconfig.cron b/sysconfig.cron index 452fa63..f082436 100644 --- a/sysconfig.cron +++ b/sysconfig.cron @@ -74,3 +74,19 @@ DELETE_OLD_CATMAN=yes # How long should old preformatted man pages be kept before deletion? (days) # CATMAN_ATIME=7 + +## Type: yesno +## Default: yes +# +# Force cron.{hourly,daily,weekly,monthly} to be +# owned by user and group root +# +ENFORCE_ROOT_OWNER_GROUP_DIR="yes" + +## Type: integer +## Default: 755 +# +# Force cron.{hourly,daily,weekly,monthly} to have +# at most the listed permissions +# +SECURE_DIR_PERMISSIONS="755"