Re: crontab security under openpkg

Mon, 13 Jan 2003 08:16:52 -0800 

In article <[EMAIL PROTECTED]> you wrote:

> Have I done something wrong, or missing something?  It seems to me to be a
> majority security hole in a system when crontab executes the
> %{l_prefix}/etc/rc scripts as root, and that script can then execute other
> programs with root priviledges where the rc script and package scripts are
> writeable by any user other than root.  What's to prevent anyone from
> having some something like this in their rc.package file?
> 
> ...
> %start -p 200 -u root
>        rm -rf /
> ...
> 
> Programs like COPS go to some length to check for programs and scripts run
> out of cron with root priviledges to insure that things like this can't
> happen.
> 
> It seems to me that the only way around this with openpkg (short of writing
> some kind of program that checks ownership and writeability of any root
> cron scripts) would be to have all the base directories under %{l_prefix}
> writeable only by root while the RPM directory has the usual ownership and
> permissions.
> 
> This would still allow non-root users to build software, but would require
> root privileges to install.

The general issue with the four user/group ids in OpenPKG I've now
tried to document at http://www.openpkg.org/faq.html#uid-security

The situation you mention is correct: someone with management user/group
(owner of your OpenPKG instance you specified with --user/--group)
access can reach super user/group access through manipulations of rc
files. But this is similar to the situation of "bin" and "root" in your
Unix system. Because even if the rc files and the rc script itself is
owned and writeable only by "root", this still does not change any
security here. Because the scripts theirself execute files in your
OpenPKG instance and those are owned by the managment user/group ids,
too. Same for your Unix system: if someone is able to reach "bin" he
just needs to change some system commands and wait for the next system
cronjob or system reboot. So, you _HAVE_ to treat the OpenPKG management
user/group equal to "root" when it comes to security.

                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com

______________________________________________________________________
The OpenPKG Project                                    www.openpkg.org
Developer Communication List                   [EMAIL PROTECTED]

Reply via email to