[Bug 683017] New: SuSEconfig fails to set permissions
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c0 Summary: SuSEconfig fails to set permissions Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: R.Vickers@cs.rhul.ac.uk QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-GB; rv:1.9.2.16) Gecko/20110319 Firefox/3.6.16 Running SuSEconfig fails to set permissions, for example those defined in /etc/permissions.local. I ran SuSEconfig from the command line and got the following messages: Executing /sbin/conf.d/SuSEconfig.permissions... no permissions will be changed if not called explicitly Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.secure /etc/permissions.d/mail-server /etc/permissions.d/sendmail /etc/permissions.local I looked at /sbin/conf.d/SuSEconfig.permissions and it contains the following line: /usr/bin/chkstat --suseconfig $mode This is peculiar because --suseconfig is not documented in chkstat(1), and because $mode does not appear to be set. So I typed /usr/bin/chkstat --system and that worked as expected. Note this is a security issue, because part of an administrator's security configuration will be lost. Reproducible: Always Steps to Reproduce: 1. Put some permission lines in /etc/permissions.local 2. Run SuSEconfig 3. Actual Results: No permissions changed Expected Results: Permissions changed as specified in /etc/permissions.local Here is a suggested patch: --- orig.SuSEconfig.permissions 2011-03-16 16:43:58.000000000 +0000 +++ SuSEconfig.permissions 2011-03-28 11:13:01.317663623 +0100 @@ -29,4 +29,4 @@ exit 0 fi -/usr/bin/chkstat --suseconfig $mode +/usr/bin/chkstat --system -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team-screening@forge.pr |lnussel@novell.com |ovo.novell.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED Severity|Major |Normal --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2011-03-29 08:53:32 CEST --- That's intentional as we want to get rid of SuSEconfig.permissions in the long run. I'll fix the comment in /etc/permissions.local instead. Note if you run "SuSEconfig --module permissions" the permissions will be set. Just the generic "SuSEconfig" call doesn't do it. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c2 --- Comment #2 from Bob Vickers <R.Vickers@cs.rhul.ac.uk> 2011-03-31 11:31:31 UTC --- Would it be possible to put something in the Release Notes about this? An existing mechanism has stopped working and there is nothing telling the administrator what to use instead. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2011-03-31 13:50:11 CEST --- I'm not sure that's important enough for the release notes tbh. After all SuSEconfig tells that it doesn't actually change permissions: # SuSEconfig [...] Executing /sbin/conf.d/SuSEconfig.permissions... no permissions will be changed if not called explicitly -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c4 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution| |FIXED --- Comment #4 from Ludwig Nussel <lnussel@novell.com> 2011-04-08 14:38:36 CEST --- comments fixed in git -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c5 Michael Monnerie <novell-web@zmi.at> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |novell-web@zmi.at --- Comment #5 from Michael Monnerie <novell-web@zmi.at> 2011-08-09 06:23:07 UTC --- I want to comment on this as I just got aware of it now. You're playing dangerous if you change a behaviour that has been there for years. Also, the comment in /etc/sysconfig/security (security!!!): # SuSEconfig can call chkstat to check permissions and ownerships for # files and directories (using /etc/permissions). # Setting to "set" will correct it, "warn" produces warnings, if # something strange is found. Disable this feature with "no". # CHECK_PERMISSIONS="set" But despite having it set to "set", it doesn't do that anymore. The current ignorance of this "set" option puts security of openSUSE installations at risk, and broke things for us. We only found that now, as we have lots of automation tools to do the administration of the systems. Changing a security feature without any big warning sign in the release notes is BAD, BAD, BAD, don't do that. It's OK if you want to get rid of SuSEconfig.permissions, but please don't break existing things, or at least update /etc/sysconfig/security, and change the comment there. Also, I'd be interested to know what you want to offer instead "SuSEconfig.permissions". There will be some other way to easily configure file security, right? I don't understand why you have to break things now. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=683017 https://bugzilla.novell.com/show_bug.cgi?id=683017#c6 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |madworm_de.novell@spitzenpf | |eil.org --- Comment #6 from Ludwig Nussel <lnussel@suse.com> 2011-12-16 14:50:30 CET --- *** Bug 737321 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=737321 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com