Accepting request 545972 from home:jsegitz:branches:Base:System
- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper permissions and owner. This is racy but prevents some LPE vectors OBS-URL: https://build.opensuse.org/request/show/545972 OBS-URL: https://build.opensuse.org/package/show/Base:System/cronie?expand=0&rev=161
This commit is contained in:
parent
8799c06388
commit
e61cf249e1
@ -1,3 +1,9 @@
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 27 09:48:27 UTC 2017 - jsegitz@suse.com
|
||||
|
||||
- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper
|
||||
permissions and owner. This is racy but prevents some LPE vectors
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Nov 24 17:25:56 UTC 2017 - kstreitova@suse.com
|
||||
|
||||
|
22
run-crons
22
run-crons
@ -34,6 +34,8 @@
|
||||
# bnc#812367 support MAILFROM as cron does
|
||||
# 2016-08-08 - tchvatal@suse.com
|
||||
# bnc#983925 run crons even on battery
|
||||
# 2017-10-24 - jsegitz@suse.de
|
||||
# bsc#1062722 - harden run-cron to ensure correct directory permissions
|
||||
|
||||
if [ -f /etc/sysconfig/cron ]; then
|
||||
. /etc/sysconfig/cron
|
||||
@ -99,8 +101,28 @@ mkdir -p $SPOOL
|
||||
#set verbose
|
||||
## stage 1, search directories/scripts to run
|
||||
RUN=""
|
||||
SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}"
|
||||
for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do
|
||||
test -d $CRONDIR || continue
|
||||
# this is racy but better than nothing
|
||||
if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G $CRONDIR ]; then
|
||||
echo "wrong owner/group for $CRONDIR, skipping" | logger
|
||||
continue
|
||||
fi
|
||||
ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR)
|
||||
# to have this default to false would be better, but would require a more
|
||||
# complicated logic in the loop
|
||||
PERMISSIONS_ARE_SECURE=true
|
||||
for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do
|
||||
if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; then
|
||||
PERMISSIONS_ARE_SECURE=false
|
||||
fi
|
||||
done
|
||||
if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then
|
||||
echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting $SECURE_PERMISSIONS. Skipping" | logger
|
||||
continue
|
||||
fi
|
||||
|
||||
BASE=${CRONDIR##*/}
|
||||
TIME_EXT=${BASE##cron.}
|
||||
|
||||
|
@ -74,3 +74,19 @@ DELETE_OLD_CATMAN=yes
|
||||
# How long should old preformatted man pages be kept before deletion? (days)
|
||||
#
|
||||
CATMAN_ATIME=7
|
||||
|
||||
## Type: yesno
|
||||
## Default: yes
|
||||
#
|
||||
# Force cron.{hourly,daily,weekly,monthly} to be
|
||||
# owned by user and group root
|
||||
#
|
||||
ENFORCE_ROOT_OWNER_GROUP_DIR="yes"
|
||||
|
||||
## Type: integer
|
||||
## Default: 755
|
||||
#
|
||||
# Force cron.{hourly,daily,weekly,monthly} to have
|
||||
# at most the listed permissions
|
||||
#
|
||||
SECURE_DIR_PERMISSIONS="755"
|
||||
|
Loading…
Reference in New Issue
Block a user