[Bug 523006] New: amanda user group changed to disk
http://bugzilla.novell.com/show_bug.cgi?id=523006 Summary: amanda user group changed to disk Classification: openSUSE Product: openSUSE 11.2 Version: Milestone 3 Platform: Other OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: lnussel@novell.com ReportedBy: mseben@novell.com QAContact: qa@suse.de Found By: --- Hello in 11.2, amanda user will be member of group "tape" instead of "disk", (due to dev/nst* group name change by udev in 11.2) so would by possible change group name for amanda binaries from "disk" to "tape" in permissions.* files ? thanks -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User mseben@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c1 --- Comment #1 from Michal Seben <mseben@novell.com> 2009-07-17 07:50:36 MDT --- I mean change /etc/permissions.* files from permissions package -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |mseben@novell.com --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2009-07-20 01:01:31 MDT --- What are those permissions good for anyways? What about getting rid of the setuid bits? -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User mseben@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c3 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|mseben@novell.com |lnussel@novell.com --- Comment #3 from Michal Seben <mseben@novell.com> 2009-07-20 05:28:48 MDT --- problematic files : /usr/lib/amanda/calcsize /usr/lib/amanda/runtar /usr/sbin/amcheck /usr/lib/amanda/dumper /usr/lib/amanda/planner /usr/lib/amanda/rundump /usr/lib/amanda/killpgrp what I found in doc : calcsize,runtar: Since tar traverses the directory hierarchy and reads files as a regular user would,it must run as root. Programs calcsize and runtar therefore must be installed setuid root. amcheck,dumper,planner: run on the tape server machine and need a privileged network port for secure communication with the clients. killpgrp: is used to kill vendor dump programs that run as root rundump: setuid wrapper for systems that need to run the vendor dump program as root so I think yes these permissions are needed is this info sufficient ? thanks -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2009-07-20 05:55:04 MDT --- Doesn't make me less nervous at all :-) I guess that group tape comes from debian. I also guess that the admin intends to put users in that group to allow additional access to tape drives only. So abusing that group to also allow access to setuid binaries that potentially allow full root access is not that smart. I'd suggest to use a separate group for the (root equivalent) amanda user and use the tape group only as supplemental group to gain access to tape drives. So without full security audit I'd change the entries in the permission files from root:disk to root:amanda. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User lnussel@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2009-07-28 05:45:17 MDT --- Ok with the suggestion to use group amanda? You need to create it in your package then. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|lnussel@novell.com |mseben@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 User mseben@novell.com added comment http://bugzilla.novell.com/show_bug.cgi?id=523006#c6 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |CLOSED Info Provider|mseben@novell.com | Resolution| |FIXED --- Comment #6 from Michal Seben <mseben@novell.com> 2009-07-28 06:29:47 MDT --- Ok I will add "amanda" user to primary group "amanda" and supplementary group "tape", I will also change group for installed files to "amanda" thanks -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c7 --- Comment #7 from Stefan Schmidt <jsj@jsj.dyndns.org> 2010-01-20 09:55:56 UTC --- Created an attachment (id=337608) --> (http://bugzilla.novell.com/attachment.cgi?id=337608) diff to fix the wrong statement in spec file -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c8 Stefan Schmidt <jsj@jsj.dyndns.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |REOPENED CC| |jsj@jsj.dyndns.org Version|Milestone 3 |Final Resolution|FIXED | Severity|Normal |Major --- Comment #8 from Stefan Schmidt <jsj@jsj.dyndns.org> 2010-01-20 09:56:51 UTC --- Unfortunately in the final product the group change in case of an update is not working, as there is a wrong command in the usermod line. Attached is a diff for the spec file. Please consider an online update, as the functionality of the software is heavily hampered == it does not work. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #337608|application/octet-stream |text/plain mime type| | Attachment #337608|0 |1 is patch| | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|lnussel@novell.com |mseben@novell.com -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c9 --- Comment #9 from Michal Seben <mseben@novell.com> 2010-01-20 13:54:24 UTC --- thanks Stefan ! I will fix defective line to : /usr/bin/id -n -g amanda 2>&1 | grep "disk" >/dev/null && ( /usr/sbin/usermod -g amanda -G tape amanda ; /usr/sbin/usermod -g amanda amanda 2>&1 ) see attached patch -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c10 --- Comment #10 from Michal Seben <mseben@novell.com> 2010-01-20 13:57:35 UTC --- Created an attachment (id=337660) --> (http://bugzilla.novell.com/attachment.cgi?id=337660) fix group switch -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c11 Michal Seben <mseben@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |NEEDINFO Info Provider| |maintenance@opensuse.org --- Comment #11 from Michal Seben <mseben@novell.com> 2010-01-20 14:02:53 UTC --- Mr Maintenance: we need SWAMP-ID here for 11.2 -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c12 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |REOPENED CC| |meissner@novell.com Info Provider|maintenance@opensuse.org | --- Comment #12 from Marcus Meissner <meissner@novell.com> 2010-01-20 14:59:21 UTC --- clear regression fix, lets just do it. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c13 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |maint:running:30358 --- Comment #13 from Swamp Workflow Management <swamp@suse.com> 2010-01-20 15:00:05 UTC --- The SWAMPID for this issue is 30358. Please submit the patch and patchinfo file using this ID. (https://swamp.suse.de/webswamp/wf/30358) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c14 Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:30358 |maint:running:30358 | |maint:released:11.2:30361 --- Comment #14 from Swamp Workflow Management <swamp@suse.com> 2010-02-01 12:23:18 UTC --- Update released for: amanda, amanda-debuginfo, amanda-debugsource Products: openSUSE 11.2 (debug, i586, x86_64) -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c Swamp Workflow Management <swamp@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|maint:running:30358 |. |maint:released:11.2:30361 | -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c15 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |FIXED --- Comment #15 from Marcus Meissner <meissner@novell.com> 2010-02-01 12:24:06 UTC --- released -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=523006 https://bugzilla.novell.com/show_bug.cgi?id=523006#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-10-31 22:02:02 CET --- This is an autogenerated message for OBS integration: This bug (523006) was mentioned in https://build.opensuse.org/request/show/89843 Tumbleweed / permissions -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=523006 http://bugzilla.novell.com/show_bug.cgi?id=523006#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> --- This is an autogenerated message for OBS integration: This bug (523006) was mentioned in https://build.opensuse.org/request/show/16380 Factory / amanda https://build.opensuse.org/request/show/30110 11.2:Test / amanda -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com