http://bugzilla.opensuse.org/show_bug.cgi?id=1201385 http://bugzilla.opensuse.org/show_bug.cgi?id=1201385#c7 --- Comment #7 from Christian Wittmer <chris@computersalat.de> --- (In reply to Matthias Gerstner from comment #4)

The change in security context is rather limited here, since the postlog program only runs as the postdrop group. So no root privileges are involved.

The main concern would be that the files owned by the postdrop group could be corrupted or could be disclosed, or processes owned by the postdrop group could be influenced in a bad way.

The hardening efforts in the postlog code look pretty good. The command line parameters are limited and don't look harmful. Environment variables are handled with the required care. In the privilege escalation context no environment variables are trusted at all.

The more or less only purpose of the postlog command is to send log data to syslog. The process name used in logging is limited to "postlog" so no spoofing should be possible there.

What can be spoofed is the log message content as such, which is kind of by design. Maybe sudoers rules or something like it would have been more selectiv regarding to who is actually allowed to log something as postdrop user.

Still the attack surface is manageable and I agree to whitelist the setgid setting in the permissions package.

Thank you. Will there also be an update of permissions pkg for Leap 15.3 and 15.4 ? -- You are receiving this mail because: You are on the CC list for the bug.