theslinux-buildsystem.fcron updated 2639345 security fix: :fcrontab must not run as :root
- From: git@xxxxxxxxxxxxxxxxxxxx
- To: theslinux-phantom@xxxxxxxxxxxxx
- Date: Mon, 26 Aug 2013 17:37:35 -0700
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "theslinux-buildsystem".
The branch, fcron has been updated
via 26393457ae3a2e9c78672757ba2eba920b0e8e8d (commit)
via a0a486941cd7e3cf8c364e9e542442115f16e859 (commit)
from 2c2b4b16acb30e6eefda56bb84bb9ac9f5b48c5e (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 26393457ae3a2e9c78672757ba2eba920b0e8e8d
Author: Ky-Anh Huynh <kyanh@xxxxxxxxxxxxx>
Date: Tue Aug 27 07:37:12 2013 +0700
security fix: :fcrontab must not run as :root
The "--with-{user,group}name=" flags specify the user under that
the ":fcrontab" program runs. This program should not run as :root;
otherwise, any trivial user on the system can use the ":runas" field
to escape their own privilege, and to be :root.
These flags should never be ":root" or ":wheel" group.
Please note that ":fcrontab" is a :suid program. On :cronie, :crontab
belongs to root, has :suid flag, and it just works without any problem.
I think the design of :fcron is different.
But it should not work like this.
Please note this :pkgbuild is not complete. Other things to do:
* Add new user (:fcron)
* Fix some file permissions (/etc/fcron/fcron.conf -> root:fcron)
* Fix dir. and files permissions in /var/spool/fcron
commit a0a486941cd7e3cf8c364e9e542442115f16e859
Author: Ky-Anh Huynh <kyanh@xxxxxxxxxxxxx>
Date: Mon Aug 26 10:44:32 2013 +0700
Fix use :pkgname (-> :pkgbase) in :source
-----------------------------------------------------------------------
Summary of changes:
fcron/PKGBUILD | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fcron/PKGBUILD b/fcron/PKGBUILD
index 690bacc..73a626d 100644
--- a/fcron/PKGBUILD
+++ b/fcron/PKGBUILD
@@ -19,7 +19,7 @@ conflicts=('dcron')
backup=(etc/fcron/fcron.conf etc/fcron/fcron.allow etc/fcron/fcron.deny \
var/spool/fcron/systab var/spool/fcron/systab.orig)
options=('emptydirs' '!makeflags')
-source=(http://fcron.free.fr/archives/$pkgname-$pkgver.src.tar.gz \
+source=(http://fcron.free.fr/archives/$pkgbase-$pkgver.src.tar.gz \
systab systab.orig run-cron)
md5sums=()
@@ -29,8 +29,8 @@ build() {
--sysconfdir=/etc/fcron \
--with-answer-all=no \
--with-boot-install=no \
- --with-username=root \
- --with-groupname=root \
+ --with-username=fcron \
+ --with-groupname=fcron \
--datarootdir=/usr/share \
--datadir=/usr/share \
--with-docdir=/usr/share/doc \
@@ -41,8 +41,9 @@ build() {
--with-sendmail=/usr/sbin/sendmail
make
+ # The old version 3.0.6 doesn't have the file for `systemd`
# Temporary bugfix make install expects the file in the files directory.
- cp script/fcron.init.systemd files
+ [[ ! -f script/fcron.init.systemd ]] || cp script/fcron.init.systemd files
}
package() {
hooks/post-receive
--
theslinux-buildsystem
--
Purpose: Store commits, feeds from other projects
Post: mailto:theslinux-phantom@xxxxxxxxxxxxx
Archive, Gmane: http://theslinux.org/lists/phantom/
Subscribe: mailto:theslinux-phantom-request@xxxxxxxxxxxxx?Subject=subscribe
Unsubscribe: mailto:theslinux-phantom-request@xxxxxxxxxxxxx?Subject=unsubscribe
Other information: http://theslinux.org/lists (vi) or
http://theslinux.org/lists/en (en)
Support: mailto:theslinux-questions@xxxxxxxxxxxxx
Other related posts:
- » theslinux-buildsystem.fcron updated 2639345 security fix: :fcrontab must not run as :root - git
