[Pkg-cron-devel] [SCM] Git repository for pkg-cron branch, sf3, updated. debian/3.0pl1-109-20-gde88d23
Christian Kastner
debian at kvr.at
Sat Sep 24 22:26:48 UTC 2011
The following commit has been merged in the sf3 branch:
commit 82ba77e954dfb70bc07f6e2be4d723f1d532a721
Author: Christian Kastner <debian at kvr.at>
Date: Sun Sep 25 00:02:57 2011 +0200
Add patch extending error messages
Print helpful messages instead of the oblique "WRONG INODE INFO"
diff --git a/debian/patches/features/better-reporting-for-security-checks b/debian/patches/features/better-reporting-for-security-checks
new file mode 100644
index 0000000..fae20ca
--- /dev/null
+++ b/debian/patches/features/better-reporting-for-security-checks
@@ -0,0 +1,91 @@
+From: Christian Kastner <debian at kvr.at>
+Date: Fri, 24 Sep 2011 00:48:00 +0200
+Subject: Better reporting for security checks
+
+Split the error conditions for the WRONG INODE INFO into separate tests with
+more informative error messages (wrong mode, wrong owner, wrong link count).
+
+Bug-Debian: http://bugs.debian.org/625491
+Bug-Debian: http://bugs.debian.org/625493
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/27520
+
+Last-Update: 2011-09-24
+Index: sf3/database.c
+===================================================================
+--- sf3.orig/database.c 2011-09-24 00:45:48.392004747 +0200
++++ sf3/database.c 2011-09-24 00:45:58.744004760 +0200
+@@ -360,12 +360,24 @@
+ log_it(fname, getpid(), "WRONG FILE OWNER", tabname);
+ goto next_crontab;
+ }
+- if (!S_ISREG(statbuf->st_mode) ||
+- statbuf->st_nlink != 1 ||
+- (statbuf->st_mode & 07777) != 0600) {
+- log_it(fname, getpid(), "WRONG INODE INFO", tabname);
+- goto next_crontab;
+- }
++
++ /* Check to make sure that the crontab is a regular file */
++ if (!S_ISREG(statbuf->st_mode)) {
++ log_it(fname, getpid(), "NOT A REGULAR FILE", tabname);
++ goto next_crontab;
++ }
++
++ /* Check to make sure that the crontab's permissions are secure */
++ if ((statbuf->st_mode & 07777) != 0600) {
++ log_it(fname, getpid(), "INSECURE MODE (mode 0600 expected)", tabname);
++ goto next_crontab;
++ }
++
++ /* Check to make sure that there are no hardlinks to the crontab */
++ if (statbuf->st_nlink != 1) {
++ log_it(fname, getpid(), "NUMBER OF HARD LINKS > 1", tabname);
++ goto next_crontab;
++ }
+ } else {
+ /* System crontab path. These can be symlinks, but the
+ symlink and the target must be owned by root. */
+@@ -388,22 +400,39 @@
+ log_it(fname, getpid(), "FSTAT FAILED", tabname);
+ goto next_crontab;
+ }
++
+ /* Check to make sure that the crontab is owned by root */
+ if (statbuf->st_uid != ROOT_UID) {
+ log_it(fname, getpid(), "WRONG FILE OWNER", tabname);
+ goto next_crontab;
+ }
+- /* Check to make sure that the crontab is writable only by root */
+- if ((statbuf->st_mode & S_IWGRP) || (statbuf->st_mode & S_IWOTH)) {
+- log_it(fname, getpid(), "WRONG INODE INFO", tabname);
++
++ /* Check to make sure that the crontab is a regular file */
++ if (!S_ISREG(statbuf->st_mode)) {
++ log_it(fname, getpid(), "NOT A REGULAR FILE", tabname);
+ goto next_crontab;
+- }
++ }
++
++ /* Check to make sure that the crontab is writable only by root
++ * This should really be in sync with the check for users above
++ * (mode 0600). An upgrade path could be implemented for 4.1
++ */
++ if ((statbuf->st_mode & S_IWGRP) || (statbuf->st_mode & S_IWOTH)) {
++ log_it(fname, getpid(), "INSECURE MODE (group/other writable)", tabname);
++ goto next_crontab;
++ }
+ /* Technically, we should also check whether the parent dir is
+ * writable, and so on. This would only make proper sense for
+ * regular files; we can't realistically check all possible
+ * security issues resulting from symlinks. We'll just assume that
+ * root will handle responsible when creating them.
+ */
++
++ /* Check to make sure that there are no hardlinks to the crontab */
++ if (statbuf->st_nlink != 1) {
++ log_it(fname, getpid(), "NUMBER OF HARD LINKS > 1", tabname);
++ goto next_crontab;
++ }
+ }
+ /*
+ * The link count check is not sufficient (the owner may
diff --git a/debian/patches/series b/debian/patches/series
index e4e0988..68101c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -40,6 +40,7 @@ features/debian-logging-configuration
features/properly-handle-time-skips
features/swap-both-uid-and-gid
features/security-make-crontab-setgid-crontab
+features/better-reporting-for-security-checks
features/auditlog-support
features/run-on-reboot
features/set-contenttype-in-mail
--
Git repository for pkg-cron
More information about the Pkg-cron-devel
mailing list