From owner-freebsd-questions@FreeBSD.ORG  Fri Feb 24 13:42:07 2012
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id B1B90106566C
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 13:42:07 +0000 (UTC)
	(envelope-from trond@fagskolen.gjovik.no)
Received: from smtp.fagskolen.gjovik.no (smtp.fagskolen.gjovik.no
	[IPv6:2001:700:1100:1:200:ff:fe00:b])
	by mx1.freebsd.org (Postfix) with ESMTP id CEE1C8FC14
	for <freebsd-questions@freebsd.org>;
	Fri, 24 Feb 2012 13:42:05 +0000 (UTC)
Received: from mail.fig.ol.no (localhost [127.0.0.1])
	by mail.fig.ol.no (8.14.5/8.14.5) with ESMTP id q1ODfi7C010023
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO);
	Fri, 24 Feb 2012 14:41:44 +0100 (CET)
	(envelope-from trond@fagskolen.gjovik.no)
Received: from localhost (trond@localhost)
	by mail.fig.ol.no (8.14.5/8.14.5/Submit) with ESMTP id q1ODfiES010020; 
	Fri, 24 Feb 2012 14:41:44 +0100 (CET)
	(envelope-from trond@fagskolen.gjovik.no)
X-Authentication-Warning: mail.fig.ol.no: trond owned process doing -bs
Date: Fri, 24 Feb 2012 14:41:44 +0100 (CET)
From: =?ISO-8859-1?Q?Trond_Endrest=F8l?= <Trond.Endrestol@fagskolen.gjovik.no>
Sender: Trond.Endrestol@fagskolen.gjovik.no
To: Anton Shterenlikht <mexas@bristol.ac.uk>
In-Reply-To: <20120224125430.GB8026@mech-cluster241.men.bris.ac.uk>
Message-ID: <alpine.BSF.2.00.1202241433110.47275@mail.fig.ol.no>
References: <20120224090848.GA28104@mech-cluster241.men.bris.ac.uk>
	<4F47598A.9080400@infracaninophile.co.uk>
	<20120224125430.GB8026@mech-cluster241.men.bris.ac.uk>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
Organization: Fagskolen Innlandet
OpenPGP: url=http://fig.ol.no/~trond/trond.key
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED;
	BOUNDARY="2055831798-1676597965-1330090904=:47275"
X-Spam-Status: No, score=-2.8 required=5.0 tests=ALL_TRUSTED,AWL,BAYES_00
	autolearn=ham version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on mail.fig.ol.no
Cc: FreeBSD questions <freebsd-questions@freebsd.org>
Subject: Re: negative group permissions?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 13:42:07 -0000

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--2055831798-1676597965-1330090904=:47275
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8BIT

On Fri, 24 Feb 2012 12:54-0000, Anton Shterenlikht wrote:

> On Fri, Feb 24, 2012 at 09:34:02AM +0000, Matthew Seaman wrote:
> > On 24/02/2012 09:08, Anton Shterenlikht wrote:
> > > Recently I started seeing this line
> > > in daily security output:
> > > 
> > >   Checking negative group permissions:
> > >   70834 -rw-r----x  1 root  daemon  4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq
> > > 
> > > I've a parallel printer attached to
> > > a 9.9-CURRENT #2 r230787M box.
> > > 
> > > What does it mean?
> > 
> > This means that non-root users in group daemon have only read
> > permissions on that file.  Users that aren't root and that aren't in
> > group daemon have execute permission only.
> > 
> > It does look a bit odd, and I believe that file would just contain a job
> > number (IIRC -- haven't dealt much with lpd or lprng much recently)
> > so executing it doesn't really achieve anything.
> > 
> > This is the standard idiom to allow access for 'everyone, except members
> > of a particular group.'
> 
> yes, I get this.
> 
> 
> > One way you can get weird permissions is if you happen to use decimal
> > for permissions bitmaps rather than octal.  A umask of '77' is not the
> > same thing at all as a umask of '077'.  (It's effectively 0115, which
> > doesn't make much sense to me.)  Most shells nowadays will assume you
> > mean octal whether you include the leading zero or not: the same is not
> > true if you use umask(2) to set the mask programatically.  Ditto for
> > other places you can set permissions like open(2) with O_CREAT or mkdir(2).
> 
> # umask
> 0022
> # pwd
> /var/spool/output/lpd
> # ls -al
> total 8
> drwxr-xr-x  2 root  daemon  512 Feb 24 12:43 .
> drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
> -rw-rw-r--  1 root  daemon   41 Feb 21 12:54 lock
> -rw-rw-r--  1 root  daemon   25 Feb 21 12:54 status
> #
> 
> Then I print something:
> 
> % pwd | lpr
> 
> Then this .seq file appears with weird permissions:
> 
> # ls -al
> total 10
> drwxr-xr-x  2 root  daemon  512 Feb 24 12:46 .
> drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
> -rw-r----x  1 root  daemon    4 Feb 24 12:45 .seq
> -rw-rw-r--  1 root  daemon   41 Feb 24 12:45 lock
> -rw-rw-r--  1 root  daemon   25 Feb 24 12:45 status
> # 
> 
> # cat .seq 
> 001
> #
> 
> So presumably lpd(8) created this file, but I'm still
> unsure why permissions are so strange. But interests
> me more, is why I didn't see it until about 1-2 months
> ago? Has something chaged in -current, e.g. in open(2)
> like you suggest? Or has I messed up with my setup?
> Or maybe it was always like this, but the security
> check didn't pick it up?
> 
> > 
> > > Should I be worried?
> > 
> > No more than a normal level of paranoia is indicated here.

Looking at usr.sbin/lpr/lpr/lpr.c at around line 847 (RELENG_9):

        (void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
        seteuid(euid);
        if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
                printf("%s: cannot create %s\n", progname, buf);
                exit(1);
        }
        if (flock(fd, LOCK_EX)) {
                printf("%s: cannot lock %s\n", progname, buf);
                exit(1);
        }

It remains a mystery why these files are created with mode 0661. Mode 
0660 should be more than sufficient. Maybe it's because of flock(2), 
but the manpage for flock(2) does not mention the execute bit at all.

The lpc enable/disable commands seem to affect only the group execute 
bit of the lock file.

I haven't found any other source files where .seq files are created 
or being used. Feel free to prove me wrong. :D

-- 
+-------------------------------+------------------------------------+
| Vennlig hilsen,               | Best regards,                      |
| Trond Endrestøl,              | Trond Endrestøl,                   |
| IT-ansvarlig,                 | System administrator,              |
| Fagskolen Innlandet,          | Gjøvik Technical College, Norway,  |
| tlf. dir.   61 14 54 39,      | Office.....: +47 61 14 54 39,      |
| tlf. mob.   952 62 567,       | Cellular...: +47 952 62 567,       |
| sentralbord 61 14 54 00.      | Switchboard: +47 61 14 54 00.      |
+-------------------------------+------------------------------------+
--2055831798-1676597965-1330090904=:47275--