On Wed, 21 Nov 2012, Marcus Meissner wrote:
On Wed, Nov 21, 2012 at 10:43:10AM +0000, Bob Vickers wrote:
Hi,
The recent coreutils update (coreutils-8.14-3.11.1.x86_64) on opensuse 12.2 applied using 'zypper patch' has changed the permissions of /bin/su:
< -rwsr-x--- 1 root support 39984 2012-09-25 14:40:45.000000000 +0100 /bin/su ---
-rwsr-xr-x 1 root root 39984 2012-11-12 13:57:18.000000000 +0000 /bin/su
The result is that a security barrier has been silently removed.
Should not the patch process ensure that settings in /etc/permissions.local are honoured?
We have ENABLE_SUSECONFIG="yes" in /etc/sysconfig/suseconfig.
Yes it should.
Please give output of:
grep PERMISSION_SECURITY /etc/sysconfig/security grep -r /bin/su /etc/permissions*
Here you go: $ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or $ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755 By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org