diff --git a/cronie.changes b/cronie.changes index 04c3d4a..1308707 100644 --- a/cronie.changes +++ b/cronie.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Thu Jan 18 08:27:24 UTC 2024 - Johannes Segitz + +- Set safe permissions for crontab backups. Add + * safe-backup-permissions.patch + ------------------------------------------------------------------- Thu Jan 11 17:52:56 UTC 2024 - Danilo Spinella diff --git a/cronie.spec b/cronie.spec index 5ae531a..7643c1d 100644 --- a/cronie.spec +++ b/cronie.spec @@ -50,6 +50,8 @@ Patch13: fix-manpage-replace-anacrontab-with-crontab.patch Patch14: cronie-pam_config-nonlogin.diff # PATCH-FIX-UPSTREAM danilo.spinella@suse.com bsc#1218377 Patch15: test-for-etc-default-anacron.patch +# PATCH-FIX-UPSTREAM jsegitz@suse.de https://github.com/cronie-crond/cronie/pull/172 +Patch16: safe-backup-permissions.patch BuildRequires: audit-devel BuildRequires: autoconf BuildRequires: automake @@ -112,6 +114,7 @@ cp %{SOURCE7} ./cron_to_cronie.README %patch14 -p1 %endif %patch15 -p1 +%patch16 -p1 %build # fill macro CRON_VERSION it is used in top three lines of crontab file,should be reworked diff --git a/safe-backup-permissions.patch b/safe-backup-permissions.patch new file mode 100644 index 0000000..ed7e9d5 --- /dev/null +++ b/safe-backup-permissions.patch @@ -0,0 +1,31 @@ +Index: cronie-cronie-1.7.0/src/crontab.c +=================================================================== +--- cronie-cronie-1.7.0.orig/src/crontab.c ++++ cronie-cronie-1.7.0/src/crontab.c +@@ -520,6 +520,7 @@ static int backup_crontab(const char *cr + FILE *backup_file; + struct stat sb; + int retval = 0; ++ mode_t old_umask; + + /* create backup directory */ + if ((env_value = getenv("XDG_CACHE_HOME")) != NULL) { +@@ -590,6 +591,9 @@ static int backup_crontab(const char *cr + } + } + ++ // ensure backup file has strict permssions. Crontabs are not readable for ++ // other users and might contain sensitive information ++ old_umask = umask(0077); + if ((backup_file = fopen(backup_path, "w+")) == NULL) { + fprintf(stderr, "Failed to write to the backup file: "); + perror(backup_path); +@@ -598,6 +602,8 @@ static int backup_crontab(const char *cr + } + + swapback: ++ umask(old_umask); ++ + if (swap_uids_back() < OK) { + perror("swapping uids back"); + exit(ERROR_EXIT);