[opensuse-security] otrs and permissions file
Hi, for otrs I need this config: (https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest) %defattr(0644,%{name},www,0775) %dir /opt/%{name}/var/article %dir /opt/%{name}/var/log %dir /opt/%{name}/var/tmp but obs is complaining: permissions-directory-setuid-bit and I should contact security@suse.de Here I am :) Is this acceptable ? Kind Regards Chris -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Am 21.07.2010 13:36, schrieb Christian:
Hi,
for otrs I need this config: (https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest)
sorry, typo %defattr(0644,%{name},www,2775)
%dir /opt/%{name}/var/article %dir /opt/%{name}/var/log %dir /opt/%{name}/var/tmp
but obs is complaining: permissions-directory-setuid-bit and I should contact security@suse.de
Here I am :) Is this acceptable ?
Kind Regards Chris
-- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Christian wrote:
Am 21.07.2010 13:36, schrieb Christian:
for otrs I need this config: (https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest)
sorry, typo %defattr(0644,%{name},www,2775)
%dir /opt/%{name}/var/article %dir /opt/%{name}/var/log %dir /opt/%{name}/var/tmp
but obs is complaining: permissions-directory-setuid-bit and I should contact security@suse.de
Here I am :) Is this acceptable ?
Well, if it wasn't the build would abort with an error :-) Having directories with setgid bits is rather unusual though. Are you sure it's required? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
H Ludwig,
Well, if it wasn't the build would abort with an error :-) Having directories with setgid bits is rather unusual though. Are you sure it's required?
It the way the OTRS guys do it. # set the var directory to OTRS and webserver user my @Dirs = ( "$DestDir/var/article", "$DestDir/var/log", "$DestDir/var/tmp", "$DestDir/var/spool", "$DestDir/var/stats", "$DestDir/var/sessions" ); for my $Dir (@Dirs) { if ( !-e $Dir ) { mkdir $Dir; } } find( \&makeWritableSetGid, @Dirs ); sub makeWritableSetGid { my $File = $_; my $Mode; if ( -d $File ) { $Mode = 02775; } else { $Mode = 0664; } if ($NotRoot) { $Mode |= 2; safeChmod( $Mode, $File ); } else { safeChown( $OtrsUserId, $WebGroupId, $File ); safeChmod( $Mode, $File ); } } not sure what is worse. using suid-bit, or having "wwwrun" as DIR-owner. cu Chris -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Hi Ludiwg, Am 21.07.2010 13:55, schrieb Ludwig Nussel:
Well, if it wasn't the build would abort with an error :-) Having directories with setgid bits is rather unusual though. Are you sure it's required? Yes, it is required. Now I made a permissions file, which need to be reviewed for acceptance.
https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest Cheers -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Hi Ludwig, 2. Versuch ;) Am 2010-07-21 13:55, schrieb Ludwig Nussel:
Well, if it wasn't the build would abort with an error :-) Having directories with setgid bits is rather unusual though. Are you sure it's required? Yes, it is required. Now I made a permissions file, which need to be reviewed for acceptance.
https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest Thank you. Cheers -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ---------------------------------------------------- -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Christian wrote:
Am 2010-07-21 13:55, schrieb Ludwig Nussel:
Well, if it wasn't the build would abort with an error :-) Having directories with setgid bits is rather unusual though. Are you sure it's required? Yes, it is required. Now I made a permissions file, which need to be reviewed for acceptance.
https://build.opensuse.org/package/show?package=otrs&project=network%3Aotrs%3ATest Thank you.
Well, if you want entries in the permissions files in Factory please file a bug for security-team so the request is documented properly. However, looking at the permissions file you include it's not acceptable anyways. You must not package sub-directories in service owned directories. rpm cannot handle that in a safe way. Having a 'bin' directory rw by a service user looks immediately suspicious. Looks like the init script even starts scripts from there and the init script runs as root! cu Ludwig PS: hostname -f is evil, even more so in a sysconfig file. -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Christian -
Ludwig Nussel