[Bug 843230] New: VUL-0: root occasionaly gets group=100(users)
https://bugzilla.novell.com/show_bug.cgi?id=843230 https://bugzilla.novell.com/show_bug.cgi?id=843230#c0 Summary: VUL-0: root occasionaly gets group=100(users) Classification: openSUSE Product: openSUSE Factory Version: 13.1 Beta 1 Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: meissner@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: coolo@suse.com, security-team@suse.de, crrodriguez@opensuse.org Found By: --- Blocker: --- root occasionaly gets group=100(users) instead of group=0(root) which is a security problem. It is unclear how this happens. New installs of 13.1 Beta do not seem to do that. Upgrades / Updates seem to do it, but it is unclear which ones do. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c1
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c2
--- Comment #2 from Cristian Rodríguez
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c3
Robin Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c4
Christian Boltz
Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this?
Yes, that's worth a separate bugreport. For the problem of having the wrong group for root -IIRC useradd, usermod etc. are logging to syslog what they are doing. Can the poeple who have the problem please grep their logs for it please? I'd try grep "root.*users" (or, as general command, grep "root.*$GROUP") Another way might be to add a watch on /etc/passwd and /etc/group with auditctl before starting the update, and to hope that the bug will appear. In any case, you should relate the timestamp to something in /var/log/zypp/history. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c5
Bernhard Wiedemann
Incidentially, this is on the Raspberry Pi images; raspberrypi:~ # ll /etc/shadow -rw-r--r-- 1 root root 468 Dec 4 18:42 /etc/shadow This looks bad. Can anyone confirm? Should I file a separate bug report for this?
It is a different (also bad) issue. I found that this comes from me using the "build" script that has sed -e "s@^root::@root:*:@" < $BUILD_ROOT/etc/shadow > $BUILD_ROOT/etc/shadow.t && mv $BUILD_ROOT/etc/shadow.t $BUILD_ROOT/etc/shadow I'll workaround it and upload an updated image. https://build.opensuse.org/package/rdiff/devel:ARM:13.1:Contrib:RaspberryPi/altimagebuild?linkrev=base&rev=3 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c6
--- Comment #6 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c7
--- Comment #7 from Robin Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c8
--- Comment #8 from Robin Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c9
--- Comment #9 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c10
--- Comment #10 from Robin Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c11
--- Comment #11 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c12
--- Comment #12 from Robin Jacobs
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c13
--- Comment #13 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c14
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c15
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c16
--- Comment #16 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c17
--- Comment #17 from Cristian Rodríguez
i am going to adjust the config.xml.in
coolo, can we respin the live images? :)
what about releasing an update (in aaa_base ? or "permissions" maybe) removing root from any other group than "root" ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c18
--- Comment #18 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c19
--- Comment #19 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c20
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c21
--- Comment #21 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c22
--- Comment #22 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=843230
https://bugzilla.novell.com/show_bug.cgi?id=843230#c23
Marcus Meissner
participants (1)
-
bugzilla_noreply@novell.com