Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 29 Feb 2012 08:57:16 +0000
From:      Anton Shterenlikht <mexas@bristol.ac.uk>
To:        Jason Hellenthal <jhellenthal@dataix.net>
Cc:        freebsd-current@freebsd.org, jb <jb.1234abcd@gmail.com>
Subject:   Re: negative group permissions?
Message-ID:  <20120229085716.GA66484@mech-cluster241.men.bris.ac.uk>
In-Reply-To: <20120229072458.GA95427@DataIX.net>
References:  <20120228092244.GB48977@mech-cluster241.men.bris.ac.uk> <loom.20120228T155607-690@post.gmane.org> <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> <20120229072458.GA95427@DataIX.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, Feb 29, 2012 at 02:24:58AM -0500, Jason Hellenthal wrote:
> 
> 
> On Tue, Feb 28, 2012 at 04:24:47PM +0000, Anton Shterenlikht wrote:
> > On Tue, Feb 28, 2012 at 03:07:43PM +0000, jb wrote:
> > > Anton Shterenlikht <mexas <at> bristol.ac.uk> writes:
> > > 
> > > > 
> > > > This was discussed in questions@ with no resolution.
> > > > Anybody here can advise further?
> > > > ...
> > > 
> > > Regarding file .seq or .SEQ
> > > 
> > > It is an intermediate-processing (run-time) lockfile found in various spool 
> > > dirs and their sub-dirs, like
> > > /var/spool/cron/
> > >           /at,
> > >           /lpd, etc.
> > > It is used to save job# by the respective programs (cron, at, etc).
> > > You can find a ref to .SEQ in file at.c in at port sources.
> > > I did not see ref to .seq in lpr or cron port sources.
> > > 
> > > The periodic security check 
> > > /etc/periodic/security/110.neggrpperm
> > > checks for risque condition like
> > > ! -perm +010 -and -perm +001
> > > 
> > > The file should not be executable, according to its purpose.
> > > 
> > > So the lpr.c should be changed from
> > > if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
> > > to
> > > if ((fd = open(buf, O_RDWR|O_CREAT, 0660)) < 0) {
> > > 
> > > File a bug report.
> > 
> > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/165533
> 
> The only thing that is wrong here is the misconception of negative
> permissions. This bit of code tracks all the way back to 4.3BSD and
> probably further while LPR dates back to 3BSD. Nobody programs 661 for no
> reason and changing that code will most likely have a negative impact
> and I do not see that as a real answer to this problem.
> 
> Above I see your .seq file created 0641 so not only do you have a
> negative permission on the file you are also missing a bit ;). You might
> want to review some of your other permissions to see if anything is
> missing. That has been explained all over the net for the differences
> of x86 & x86_64 systems.

To the best of my knowledge the security warning started
to appear recently. For the previous 2 years or so I haven't
seen it. Now, I didn't modify the default security scripts,
nor the lpd system. The file is created with this permissions
because the OS created it like this, not me. I've no idea
why my file is 0641 instead of 0661.

So, given that the lpr.c hasn't changed for years,
perhaps the periodic scripts have, and what was
earlier considered fine now is considered serious enough
to issue a security warning.

In any case, it seems either lpr.c needs to be changed,
or if 0661 is necessary, then the periodic sripts need to
be changed to ignore this file.

-- 
Anton Shterenlikht
Room 2.6, Queen's Building
Mech Eng Dept
Bristol University
University Walk, Bristol BS8 1TR, UK
Tel: +44 (0)117 331 5944
Fax: +44 (0)117 929 4423



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120229085716.GA66484>