Date: Wednesday, August 28, 2013 @ 17:03:56 Author: seblu Revision: 96422
upgpkg: fcron 3.1.2-8 Fix distro specific security breach in fcron. Thanks to Anh K. Huynh <[email protected]> for his quiet report. Modified: fcron/trunk/PKGBUILD fcron/trunk/fcron.install ---------------+ PKGBUILD | 23 +++++++++++++---------- fcron.install | 31 +++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+), 10 deletions(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2013-08-28 11:35:15 UTC (rev 96421) +++ PKGBUILD 2013-08-28 15:03:56 UTC (rev 96422) @@ -7,13 +7,17 @@ pkgname=fcron pkgver=3.1.2 -pkgrel=7 +pkgrel=8 pkgdesc='Feature-rich cron implementation' arch=(i686 x86_64) url='http://fcron.free.fr' license=('GPL') depends=('pam' 'run-parts') -makedepends=('smtp-forwarder' 'vi') +makedepends=('smtp-forwarder' 'vi' 'fcron') +# use fcron as recursive deps to have user fcron installed during installation +# else add the following in build chroot +# groupadd -g 23 fcron +# useradd -r -d /var/spool/fcron -u 23 -g 23 fcron optdepends=('smtp-forwarder: to send mails from cron jobs' 'vi: default editor for fcrontab') provides=('cron') @@ -30,13 +34,14 @@ build() { cd $pkgname-$pkgver + # Don't use --username=root and --groupname=root, this completly break + # fcron security and allow local root escalation. + # Thanks to Anh K. Huynh <[email protected]> for reporting it. ./configure --prefix=/usr \ --sbindir=/usr/bin \ --sysconfdir=/etc/fcron \ --with-answer-all=no \ --with-boot-install=no \ - --with-username=root \ - --with-groupname=root \ --datarootdir=/usr/share \ --datadir=/usr/share \ --with-docdir=/usr/share/doc \ @@ -44,22 +49,20 @@ --with-systemdsystemunitdir=/usr/lib/systemd/system \ --with-piddir=/run \ --with-editor=/usr/bin/vi \ - --with-sendmail=/usr/sbin/sendmail + --with-sendmail=/usr/bin/sendmail make } package() { cd $pkgname-$pkgver - make DESTDIR="$pkgdir/" install - install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcron.pam" "$pkgdir/etc/pam.d/fcron" + install -Dm644 files/fcron.pam "$pkgdir/etc/pam.d/fcron" + install -Dm644 files/fcrontab.pam "$pkgdir/etc/pam.d/fcrontab" - install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcrontab.pam" "$pkgdir/etc/pam.d/fcrontab" - # Install a default fcrontab so that fcron can completely replace dcron # We doesn't use binary format which is incompatible between arch and may cause crash # We regenerate the binary format at each update - install -D -m640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig" + install -Dm640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig" # Add cron.* directories install -d -m755 "$pkgdir/etc/cron.daily" Modified: fcron.install =================================================================== --- fcron.install 2013-08-28 11:35:15 UTC (rev 96421) +++ fcron.install 2013-08-28 15:03:56 UTC (rev 96422) @@ -1,5 +1,8 @@ # arg 1: the new package version post_install() { + # we need a dedicated fcron user + getent group fcron >/dev/null || groupadd -g 23 fcron + getent passwd fcron >/dev/null || useradd -r -d /var/spool/fcron -u 23 -g 23 fcron # Generate binary format which is incompatible between arch fcrontab -z -u systab &>/dev/null } @@ -8,6 +11,34 @@ # arg 2: the old package version post_upgrade() { post_install "$1" + if (( $(vercmp $2 3.1.2-8) < 0 )); then + echo 'Previous versions of fcron allow root priviledge escalation by using' + echo 'runas option in crontabs. fcron check rights at crontab compilation.' + echo 'Thus, the migration script will recreate the binary crontabs' + echo 'for you (with all side effects) and fix the files rights.' + # fix invalid etc files + for _f in /etc/fcron/fcron.{conf,allow,deny}; do + [[ -e $_f ]] || continue + chown root:fcron "$_f" + chmod 640 "$_f" + done + # fix invalid spool directory + chown fcron:fcron /var/spool/fcron + chmod 770 /var/spool/fcron + # regen user fcron files + cd /var/spool/fcron + for _f in *; do + if [[ "${_f%.orig}" != "$_f" ]]; then + chgrp fcron "$_f" + fcrontab -z -u "${_f%.orig}" &>/dev/null + fi + done + fi } +post_remove() { + userdel fcron &>/dev/null + groupdel fcron &>/dev/null +} + # vim:set ts=2 sw=2 et:
