[Bug 1200747] New: permissions package contains invalid entries for bind
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Bug ID: 1200747 Summary: permissions package contains invalid entries for bind Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.4 Hardware: x86 OS: openSUSE Leap 15.4 Status: NEW Severity: Normal Priority: P5 - None Component: Other Assignee: screening-team-bugs@suse.de Reporter: lars.vogdt@suse.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- I currently get the following error reported when running chkstat --system --set on a 15.4 system (upgraded from 15.3):
/var/lib/named/dev/null: on an insecure path - /var/lib/named has different non-root owner who could tamper with the file. /var/lib/named/dev/random: on an insecure path - /var/lib/named has different non-root owner who could tamper with the file.
The 'permissions' package has Version: 20201225 (Factory: 20220309). Both mentioned device nodes do not exist any longer, as bind in 15.4 is running non-chroot'ed (encapsulated via systemd instead see #1196990). The corresponding entry has been removed from the permissions package a few weeks prior in Oct 2020: https://github.com/openSUSE/permissions/commit/ece8520ae271152d88ad24968c383... Quoting the relevant parts of the above submission from file /etc/permissions (that part, that need to be removed in the current 15.4 RPM) below: -------------------------------[/etc/permissions] # named chroot (#438045) # # These currently conflict with a systemd-tmpfiles configuration file. # The entries in parallel serve the purpose of a whitelisting for # world-writable files, therefore they need to stay in place until we have a # better whitelisting concept. /var/lib/named/dev/null root:root 0666 /var/lib/named/dev/random root:root 0666 ------------------------------- I suggest to review the file for 15.4 completely, to avoid other incidents. But at least for my problem, removing the two lines from the file fixed it. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Lars Vogdt <lars.vogdt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lars.vogdt@suse.com Assignee|screening-team-bugs@suse.de |josef.moellers@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Lars Vogdt <lars.vogdt@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com Assignee|josef.moellers@suse.com |security-team@suse.de -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |josef.moellers@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 https://bugzilla.suse.com/show_bug.cgi?id=1200747#c1 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |matthias.gerstner@suse.com Summary|permissions package |AUDIT-WHITELIST: |contains invalid entries |permissions: invalid |for bind |entries for bind in 15.4 --- Comment #1 from Matthias Gerstner <matthias.gerstner@suse.com> --- Thanks for the report. The error messages from chkstat should actually only be kind of a warning message, although it is certainly unclean. It will be easiest to remove the entries for named from our SLE-15-SP4 branch after double checking the current state of bind on SLE-15-SP4. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Assignee|security-team@suse.de |matthias.gerstner@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 https://bugzilla.suse.com/show_bug.cgi?id=1200747#c2 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |IN_PROGRESS --- Comment #2 from Matthias Gerstner <matthias.gerstner@suse.com> --- I verified that SLE-15-SP4 no longer ships the bind-chroot package and uses systemd isolation features instead. Therefore the entries can be dropped without consequences. This requires an update of the permissions package in SLE-15-SP4:Update. I will create the corresponding maintenance request. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 https://bugzilla.suse.com/show_bug.cgi?id=1200747#c6 Matthias Gerstner <matthias.gerstner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|IN_PROGRESS |RESOLVED Resolution|--- |FIXED --- Comment #6 from Matthias Gerstner <matthias.gerstner@suse.com> --- The update is now in maintenance/QA so from our side all is done. Therefore closing this bug as fixed. -- You are receiving this mail because: You are on the CC list for the bug.
https://bugzilla.suse.com/show_bug.cgi?id=1200747 https://bugzilla.suse.com/show_bug.cgi?id=1200747#c7 --- Comment #7 from Swamp Workflow Management <swamp@suse.de> --- SUSE-SU-2022:2632-1: An update that contains security fixes can now be installed. Category: security (important) Bug References: 1198720,1200747,1201385 CVE References: JIRA References: Sources used: openSUSE Leap 15.4 (src): permissions-20201225-150400.5.8.1, rpmlint-mini-1.10-150400.23.2.1 SUSE Linux Enterprise Module for Development Tools 15-SP4 (src): rpmlint-mini-1.10-150400.23.2.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): permissions-20201225-150400.5.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination. -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com