Accepting request 545972 from home:jsegitz:branches:Base:System
- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper permissions and owner. This is racy but prevents some LPE vectors OBS-URL: https://build.opensuse.org/request/show/545972 OBS-URL: https://build.opensuse.org/package/show/Base:System/cronie?expand=0&rev=161
This commit is contained in:
parent
8799c06388
commit
e61cf249e1
@ -1,3 +1,9 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Nov 27 09:48:27 UTC 2017 - jsegitz@suse.com
|
||||||
|
|
||||||
|
- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper
|
||||||
|
permissions and owner. This is racy but prevents some LPE vectors
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com
|
Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com
|
||||||
|
|
||||||
|
22
run-crons
22
run-crons
@ -34,6 +34,8 @@
|
|||||||
# bnc#812367 support MAILFROM as cron does
|
# bnc#812367 support MAILFROM as cron does
|
||||||
# 2016-08-08 - tchvatal@suse.com
|
# 2016-08-08 - tchvatal@suse.com
|
||||||
# bnc#983925 run crons even on battery
|
# bnc#983925 run crons even on battery
|
||||||
|
# 2017-10-24 - jsegitz@suse.de
|
||||||
|
# bsc#1062722 - harden run-cron to ensure correct directory permissions
|
||||||
|
|
||||||
if [ -f /etc/sysconfig/cron ]; then
|
if [ -f /etc/sysconfig/cron ]; then
|
||||||
. /etc/sysconfig/cron
|
. /etc/sysconfig/cron
|
||||||
@ -99,8 +101,28 @@ mkdir -p $SPOOL
|
|||||||
#set verbose
|
#set verbose
|
||||||
## stage 1, search directories/scripts to run
|
## stage 1, search directories/scripts to run
|
||||||
RUN=""
|
RUN=""
|
||||||
|
SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}"
|
||||||
for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do
|
for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do
|
||||||
test -d $CRONDIR || continue
|
test -d $CRONDIR || continue
|
||||||
|
# this is racy but better than nothing
|
||||||
|
if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G $CRONDIR ]; then
|
||||||
|
echo "wrong owner/group for $CRONDIR, skipping" | logger
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR)
|
||||||
|
# to have this default to false would be better, but would require a more
|
||||||
|
# complicated logic in the loop
|
||||||
|
PERMISSIONS_ARE_SECURE=true
|
||||||
|
for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do
|
||||||
|
if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; then
|
||||||
|
PERMISSIONS_ARE_SECURE=false
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then
|
||||||
|
echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting $SECURE_PERMISSIONS. Skipping" | logger
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
BASE=${CRONDIR##*/}
|
BASE=${CRONDIR##*/}
|
||||||
TIME_EXT=${BASE##cron.}
|
TIME_EXT=${BASE##cron.}
|
||||||
|
|
||||||
|
@ -74,3 +74,19 @@ DELETE_OLD_CATMAN=yes
|
|||||||
# How long should old preformatted man pages be kept before deletion? (days)
|
# How long should old preformatted man pages be kept before deletion? (days)
|
||||||
#
|
#
|
||||||
CATMAN_ATIME=7
|
CATMAN_ATIME=7
|
||||||
|
|
||||||
|
## Type: yesno
|
||||||
|
## Default: yes
|
||||||
|
#
|
||||||
|
# Force cron.{hourly,daily,weekly,monthly} to be
|
||||||
|
# owned by user and group root
|
||||||
|
#
|
||||||
|
ENFORCE_ROOT_OWNER_GROUP_DIR="yes"
|
||||||
|
|
||||||
|
## Type: integer
|
||||||
|
## Default: 755
|
||||||
|
#
|
||||||
|
# Force cron.{hourly,daily,weekly,monthly} to have
|
||||||
|
# at most the listed permissions
|
||||||
|
#
|
||||||
|
SECURE_DIR_PERMISSIONS="755"
|
||||||
|
Loading…
Reference in New Issue
Block a user