Accepting request 1139665 from home:jsegitz:branches:Base:System

- Set safe permissions for crontab backups. Add * safe-backup-permissions.patch OBS-URL: https://build.opensuse.org/request/show/1139665 OBS-URL: https://build.opensuse.org/package/show/Base:System/cronie?expand=0&rev=217
2024-01-22 15:44:30 +00:00 · 2024-01-22 15:44:30 +00:00 · e9067d45a1
commit e9067d45a1
parent 08b459752f
3 changed files with 40 additions and 0 deletions
--- a/cronie.changes
+++ b/cronie.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Thu Jan 18 08:27:24 UTC 2024 - Johannes Segitz <jsegitz@suse.com>
+
+- Set safe permissions for crontab backups. Add
+  * safe-backup-permissions.patch
+
 -------------------------------------------------------------------
 Thu Jan 11 17:52:56 UTC 2024 - Danilo Spinella <danilo.spinella@suse.com>

--- a/cronie.spec
+++ b/cronie.spec
@ -50,6 +50,8 @@ Patch13:        fix-manpage-replace-anacrontab-with-crontab.patch
 Patch14:        cronie-pam_config-nonlogin.diff
 # PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1218377
 Patch15:        test-for-etc-default-anacron.patch
+# PATCH-FIX-UPSTREAM jsegitz@suse.de https://github.com/cronie-crond/cronie/pull/172
+Patch16:        safe-backup-permissions.patch
 BuildRequires:  audit-devel
 BuildRequires:  autoconf
 BuildRequires:  automake
@ -112,6 +114,7 @@ cp %{SOURCE7} ./cron_to_cronie.README
 %patch14 -p1
 %endif
 %patch15 -p1
+%patch16 -p1

 %build
 # fill macro CRON_VERSION it is used in top three lines of crontab file,should be reworked
--- a/safe-backup-permissions.patch
+++ b/safe-backup-permissions.patch
@ -0,0 +1,31 @@
+Index: cronie-cronie-1.7.0/src/crontab.c
+===================================================================
+--- cronie-cronie-1.7.0.orig/src/crontab.c
+++ cronie-cronie-1.7.0/src/crontab.c
+@@ -520,6 +520,7 @@ static int backup_crontab(const char *cr
+ 	FILE *backup_file;
+ 	struct stat sb;
+ 	int retval = 0;
+	mode_t old_umask;
+ 	
+ 	/* create backup directory */
+ 	if ((env_value = getenv("XDG_CACHE_HOME")) != NULL) {
+@@ -590,6 +591,9 @@ static int backup_crontab(const char *cr
+ 		}
+ 	}
+ 	
+  // ensure backup file has strict permssions. Crontabs are not readable for
+  // other users and might contain sensitive information
+	old_umask = umask(0077);
+ 	if ((backup_file = fopen(backup_path, "w+")) == NULL) {
+ 		fprintf(stderr, "Failed to write to the backup file: ");
+ 		perror(backup_path);
+@@ -598,6 +602,8 @@ static int backup_crontab(const char *cr
+ 	}
+ 
+ 	swapback:
+	umask(old_umask);
+
+ 	if (swap_uids_back() < OK) {
+ 		perror("swapping uids back");
+ 		exit(ERROR_EXIT);