[opensuse-security] Security upgrade tramples on local permissions
Hi, The recent coreutils update (coreutils-8.14-3.11.1.x86_64) on opensuse 12.2 applied using 'zypper patch' has changed the permissions of /bin/su: < -rwsr-x--- 1 root support 39984 2012-09-25 14:40:45.000000000 +0100 /bin/su ---
-rwsr-xr-x 1 root root 39984 2012-11-12 13:57:18.000000000 +0000 /bin/su
The result is that a security barrier has been silently removed. Should not the patch process ensure that settings in /etc/permissions.local are honoured? We have ENABLE_SUSECONFIG="yes" in /etc/sysconfig/suseconfig. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Nov 21, 2012 at 10:43:10AM +0000, Bob Vickers wrote:
Hi,
The recent coreutils update (coreutils-8.14-3.11.1.x86_64) on opensuse 12.2 applied using 'zypper patch' has changed the permissions of /bin/su:
< -rwsr-x--- 1 root support 39984 2012-09-25 14:40:45.000000000 +0100 /bin/su ---
-rwsr-xr-x 1 root root 39984 2012-11-12 13:57:18.000000000 +0000 /bin/su
The result is that a security barrier has been silently removed.
Should not the patch process ensure that settings in /etc/permissions.local are honoured?
We have ENABLE_SUSECONFIG="yes" in /etc/sysconfig/suseconfig.
Yes it should. Please give output of: grep PERMISSION_SECURITY /etc/sysconfig/security grep -r /bin/su /etc/permissions* Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, 21 Nov 2012, Marcus Meissner wrote:
On Wed, Nov 21, 2012 at 10:43:10AM +0000, Bob Vickers wrote:
Hi,
The recent coreutils update (coreutils-8.14-3.11.1.x86_64) on opensuse 12.2 applied using 'zypper patch' has changed the permissions of /bin/su:
< -rwsr-x--- 1 root support 39984 2012-09-25 14:40:45.000000000 +0100 /bin/su ---
-rwsr-xr-x 1 root root 39984 2012-11-12 13:57:18.000000000 +0000 /bin/su
The result is that a security barrier has been silently removed.
Should not the patch process ensure that settings in /etc/permissions.local are honoured?
We have ENABLE_SUSECONFIG="yes" in /etc/sysconfig/suseconfig.
Yes it should.
Please give output of:
grep PERMISSION_SECURITY /etc/sysconfig/security grep -r /bin/su /etc/permissions*
Here you go: $ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or $ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755 By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Here you go:
$ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
$ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755
By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that.
Hmm, really:
/etc/permissions.local:/bin/su root.support 4750
I think there needs to be a : in there:
/etc/permissions.local:/bin/su root:support 4750
? Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, 21 Nov 2012, Marcus Meissner wrote:
Here you go:
$ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
$ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755
By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that.
Hmm, really:
/etc/permissions.local:/bin/su root.support 4750
I think there needs to be a : in there:
/etc/permissions.local:/bin/su root:support 4750
?
Ah, yes, you are quite right. I don't think it is the whole story though; I am pretty sure something has changed. My incorrect lines have been around for many years and copied from system to system. I suspect that some were initially copied from /etc/permissions.easy. Until recently these lines have worked, and indeed they still work if you call "SuSEconfig -module permissions". So my guess is that zypper now calls some new method for setting local permissions which is fussier about syntax: is that right? There is nothing wrong with that, I'm just trying to solve a mystery. So please excuse me expending bandwidth on this. Regards, Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Sorry to be so obsessive, but I have found where the dots came from! Here are some excerpts from the permissions.local file that was distributed with SuSE 10.2: # Format: # <file> <owner>.<group> <permission> # example: #/usr/local/bin/mtr root.root 4755 So at some point the recommended delimiter has changed from dot to colon and now that change is being silently enforced. Other long-standing SuSE users might want to check their /etc/permissions.local files as well. Bob ============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Nov 22, 2012 at 11:04:27AM +0000, Bob Vickers wrote:
On Wed, 21 Nov 2012, Marcus Meissner wrote:
Here you go:
$ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
$ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755
By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that.
Hmm, really:
/etc/permissions.local:/bin/su root.support 4750
I think there needs to be a : in there:
/etc/permissions.local:/bin/su root:support 4750
?
Ah, yes, you are quite right. I don't think it is the whole story though; I am pretty sure something has changed. My incorrect lines have been around for many years and copied from system to system. I suspect that some were initially copied from /etc/permissions.easy.
Until recently these lines have worked, and indeed they still work if you call "SuSEconfig -module permissions".
So my guess is that zypper now calls some new method for setting local permissions which is fussier about syntax: is that right?
Hmm, actually it supports both ":" and "." still, after reading chkstat.c. And /bin/su gets applied the permission checking on installation of its RPM these days, not just with SuSEconfig --module permissions. The order of the files is the one in PERMISSION_SECURITY="secure local" so secure first, and local afterwards...
There is nothing wrong with that, I'm just trying to solve a mystery. So please excuse me expending bandwidth on this.
Its weird that it does not work. You can testrun it manually with: chkstat --system --warn --examine /bin/su Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, 22 Nov 2012, Marcus Meissner wrote:
On Thu, Nov 22, 2012 at 11:04:27AM +0000, Bob Vickers wrote:
On Wed, 21 Nov 2012, Marcus Meissner wrote:
Here you go:
$ grep PERMISSION_SECURITY /etc/sysconfig/security PERMISSION_SECURITY="secure local" # PERMISSION_SECURITY. If PERMISSION_SECURITY contains 'secure' or
$ grep -r /bin/su /etc/permissions* /etc/permissions:/usr/bin/suidperl root:root 755 /etc/permissions.easy:/bin/su root:root 4755 /etc/permissions.easy:/usr/bin/sudo root:root 4755 /etc/permissions.local:# Restrict /bin/su to group support /etc/permissions.local:/bin/su root.support 4750 /etc/permissions.paranoid:/bin/su root:root 0755 /etc/permissions.paranoid:/usr/bin/sudo root:root 0755 /etc/permissions.secure:/bin/su root:root 4755 /etc/permissions.secure:/usr/bin/sudo root:root 4755
By the way, there was a mistake in my message: the systems this occurs on are Opensuse 12.1, not 12.2. Sorry about that.
Hmm, really:
/etc/permissions.local:/bin/su root.support 4750
I think there needs to be a : in there:
/etc/permissions.local:/bin/su root:support 4750
?
Ah, yes, you are quite right. I don't think it is the whole story though; I am pretty sure something has changed. My incorrect lines have been around for many years and copied from system to system. I suspect that some were initially copied from /etc/permissions.easy.
Until recently these lines have worked, and indeed they still work if you call "SuSEconfig -module permissions".
So my guess is that zypper now calls some new method for setting local permissions which is fussier about syntax: is that right?
Hmm, actually it supports both ":" and "." still, after reading chkstat.c.
And /bin/su gets applied the permission checking on installation of its RPM these days, not just with SuSEconfig --module permissions.
The order of the files is the one in PERMISSION_SECURITY="secure local" so secure first, and local afterwards...
There is nothing wrong with that, I'm just trying to solve a mystery. So please excuse me expending bandwidth on this.
Its weird that it does not work.
You can testrun it manually with: chkstat --system --warn --examine /bin/su
Dear Marcus, OK, it seems the syntax question (dots or colons) is a red herring. I have changed the dots to colons and reinstalled coreutils, and the permissions again reverted to factory defaults. # ls -l /bin/su -rwsr-x--- 1 root support 39984 Nov 12 13:57 /bin/su # zypper in -f coreutils Loading repository data... Reading installed packages... Forcing installation of 'coreutils-8.14-3.11.1.x86_64' from repository 'openSUSE-12.1-Update'. Resolving package dependencies... The following package is going to be reinstalled: coreutils 1 package to reinstall. Overall download size: 1.0 MiB. No additional space will be used or freed after the operation. Continue? [y/n/?] (y): Retrieving package coreutils-8.14-3.11.1.x86_64 (1/1), 1.0 MiB (4.7 MiB unpacked) Retrieving: coreutils-8.14-3.11.1.x86_64.rpm [done] Installing: coreutils-8.14-3.11.1 [done] ribosome# ls -l /bin/su -rwsr-xr-x 1 root root 39984 Nov 12 13:57 /bin/su # chkstat --system --set --examine /bin/su Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.secure /etc/permissions.d/mail-server /etc/permissions.d/sendmail /etc/permissions.d/texlive /etc/permissions.local setting /bin/su to root:support 4750. (wrong owner/group root:root permissions 4755) Regards, Bob -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
Dear Marcus,
OK, it seems the syntax question (dots or colons) is a red herring. I have changed the dots to colons and reinstalled coreutils, and the permissions again reverted to factory defaults.
# ls -l /bin/su -rwsr-x--- 1 root support 39984 Nov 12 13:57 /bin/su
# zypper in -f coreutils Loading repository data... Reading installed packages... Forcing installation of 'coreutils-8.14-3.11.1.x86_64' from repository 'openSUSE-12.1-Update'. Resolving package dependencies...
The following package is going to be reinstalled: coreutils
1 package to reinstall. Overall download size: 1.0 MiB. No additional space will be used or freed after the operation. Continue? [y/n/?] (y): Retrieving package coreutils-8.14-3.11.1.x86_64 (1/1), 1.0 MiB (4.7 MiB unpacked) Retrieving: coreutils-8.14-3.11.1.x86_64.rpm [done] Installing: coreutils-8.14-3.11.1 [done]
ribosome# ls -l /bin/su -rwsr-xr-x 1 root root 39984 Nov 12 13:57 /bin/su
# chkstat --system --set --examine /bin/su Checking permissions and ownerships - using the permissions files /etc/permissions /etc/permissions.secure /etc/permissions.d/mail-server /etc/permissions.d/sendmail /etc/permissions.d/texlive /etc/permissions.local setting /bin/su to root:support 4750. (wrong owner/group root:root permissions 4755)
Hah! I love this bug. :) I dug deeper into it and it becomes apparent if you do: rpm -q --scripts coreutils|grep bin/su /usr/bin/chkstat -n --set --system /usr/bin/su /usr/bin/chkstat -n --warn --system -e /bin/su 1>&2 So the actual permission setting in %post uses the wrong path, so it changes back to the RPM permissions and not the system permissions. I have opened bug 791026. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (2)
-
Bob Vickers -
Marcus Meissner