commit cronie for openSUSE:Factory

Wed, 29 Nov 2017 01:52:29 -0800 

Hello community,

here is the log from the commit of package cronie for openSUSE:Factory checked 
in at 2017-11-29 10:52:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cronie (Old)
 and      /work/SRC/openSUSE:Factory/.cronie.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "cronie"

Wed Nov 29 10:52:01 2017 rev:65 rq:546013 version:unknown

Changes:
--------
--- /work/SRC/openSUSE:Factory/cronie/cronie.changes    2017-08-29 
11:36:51.349343123 +0200
+++ /work/SRC/openSUSE:Factory/.cronie.new/cronie.changes       2017-11-29 
10:52:05.365892088 +0100
@@ -1,0 +2,18 @@
+Mon Nov 27 09:48:27 UTC 2017 - [email protected]
+
+- Ensure that /etc/cron.{hourly,daily,weekly,monthly} have proper
+  permissions and owner. This is racy but prevents some LPE vectors
+
+-------------------------------------------------------------------
+Fri Nov 24 17:25:56 UTC 2017 - [email protected]
+
+- Requires smtp_daemon (not just Recommends) as it's needed by
+  run-crons script [bsc#1064834] 
+
+-------------------------------------------------------------------
+Thu Nov 23 13:39:47 UTC 2017 - [email protected]
+
+- Replace references to /var/adm/fillup-templates with new 
+  %_fillupdir macro (boo#1069468)
+
+-------------------------------------------------------------------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ cronie.spec ++++++
--- /var/tmp/diff_new_pack.kkMzZl/_old  2017-11-29 10:52:06.337856826 +0100
+++ /var/tmp/diff_new_pack.kkMzZl/_new  2017-11-29 10:52:06.341856681 +0100
@@ -16,6 +16,11 @@
 #
 
 
+#Compat macro for new _fillupdir macro introduced in Nov 2017
+%if ! %{defined _fillupdir}
+  %define _fillupdir /var/adm/fillup-templates
+%endif
+
 %define cron_configs %{_sysconfdir}/pam.d/crond %{_sysconfdir}/crontab 
%{_sysconfdir}/cron.deny
 Name:           cronie
 Version:        1.5.1
@@ -61,7 +66,7 @@
 %if 0%{?suse_version} >= 1330
 Requires(pre):  group(trusted)
 %endif
-Recommends:     smtp_daemon
+Requires:       smtp_daemon
 Suggests:       postfix
 Conflicts:      cron <= 4.1
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
@@ -139,8 +144,8 @@
 install -c -m755 contrib/0anacron 
%{buildroot}%{_sysconfdir}/cron.hourly/0anacron
 mkdir -p %{buildroot}%{_localstatedir}/spool/anacron
 mv %{buildroot}%{_sbindir}/crond %{buildroot}%{_sbindir}/cron
-mkdir -p %{buildroot}%{_localstatedir}/adm/fillup-templates
-cp %{SOURCE9} %{buildroot}%{_localstatedir}/adm/fillup-templates/
+mkdir -p %{buildroot}%{_fillupdir}
+cp %{SOURCE9} %{buildroot}%{_fillupdir}/
 
 touch %{buildroot}%{_localstatedir}/spool/anacron/cron.daily
 touch %{buildroot}%{_localstatedir}/spool/anacron/cron.weekly
@@ -206,7 +211,7 @@
 %{_sbindir}/rccron
 %{_libexecdir}/cron
 %{_unitdir}/cron.service
-%{_localstatedir}/adm/fillup-templates/sysconfig.cron
+%{_fillupdir}/sysconfig.cron
 
 %files anacron
 %defattr(-,root,root,-)

++++++ run-crons ++++++
--- /var/tmp/diff_new_pack.kkMzZl/_old  2017-11-29 10:52:06.457852472 +0100
+++ /var/tmp/diff_new_pack.kkMzZl/_new  2017-11-29 10:52:06.457852472 +0100
@@ -34,6 +34,8 @@
 #        bnc#812367 support MAILFROM as cron does
 #     2016-08-08 - [email protected]
 #        bnc#983925 run crons even on battery
+#     2017-10-24 - [email protected]
+#        bsc#1062722 - harden run-cron to ensure correct directory permissions
 
 if [ -f /etc/sysconfig/cron ]; then
        . /etc/sysconfig/cron
@@ -99,8 +101,28 @@
 #set verbose
 ## stage 1,  search directories/scripts to run
 RUN=""
+SECURE_PERMISSIONS="${SECURE_DIR_PERMISSIONS:-755}"
 for CRONDIR in /etc/cron.{hourly,daily,weekly,monthly} ; do
     test -d $CRONDIR || continue
+    # this is racy but better than nothing
+    if [ ! "$ENFORCE_ROOT_OWNER_GROUP_DIR" = "no" ] && [ ! -O $CRONDIR -o ! -G 
$CRONDIR ]; then
+      echo "wrong owner/group for $CRONDIR, skipping" | logger
+      continue
+    fi
+    ACTUAL_PERMISSIONS=$(stat -c %a $CRONDIR)
+    # to have this default to false would be better, but would require a more
+    # complicated logic in the loop 
+    PERMISSIONS_ARE_SECURE=true
+    for (( i=0; i<${#ACTUAL_PERMISSIONS}; i++ )); do
+      if [ "${ACTUAL_PERMISSIONS:$i:1}" -gt "${SECURE_PERMISSIONS:$i:1}" ]; 
then
+        PERMISSIONS_ARE_SECURE=false
+      fi
+    done
+    if [ ! "$PERMISSIONS_ARE_SECURE" = true ]; then
+      echo "wrong permissions $ACTUAL_PERMISSIONS for $CRONDIR, expecting 
$SECURE_PERMISSIONS. Skipping" | logger
+      continue
+    fi
+
     BASE=${CRONDIR##*/}
     TIME_EXT=${BASE##cron.}
     

++++++ sysconfig.cron ++++++
--- /var/tmp/diff_new_pack.kkMzZl/_old  2017-11-29 10:52:06.493851167 +0100
+++ /var/tmp/diff_new_pack.kkMzZl/_new  2017-11-29 10:52:06.493851167 +0100
@@ -74,3 +74,19 @@
 # How long should old preformatted man pages be kept before deletion? (days)
 #
 CATMAN_ATIME=7
+
+## Type:       yesno
+## Default:    yes
+#
+# Force cron.{hourly,daily,weekly,monthly} to be
+# owned by user and group root
+#
+ENFORCE_ROOT_OWNER_GROUP_DIR="yes"
+
+## Type:       integer
+## Default:    755
+#
+# Force cron.{hourly,daily,weekly,monthly} to have
+# at most the listed permissions
+#
+SECURE_DIR_PERMISSIONS="755"

Reply via email to