Date: Wed, 29 Feb 2012 23:23:12 -0600 From: Brooks Davis <brooks@freebsd.org> To: Jason Hellenthal <jhellenthal@dataix.net> Cc: freebsd-current@freebsd.org, jb <jb.1234abcd@gmail.com>, brooks@freebsd.org Subject: Re: negative group permissions? Message-ID: <20120301052311.GA61926@lor.one-eyed-alien.net> In-Reply-To: <20120229163004.GA64201@DataIX.net> References: <20120228092244.GB48977@mech-cluster241.men.bris.ac.uk> <loom.20120228T155607-690@post.gmane.org> <20120228162447.GB58311@mech-cluster241.men.bris.ac.uk> <20120229072458.GA95427@DataIX.net> <20120229085716.GA66484@mech-cluster241.men.bris.ac.uk> <20120229163004.GA64201@DataIX.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--4Ckj6UjgE2iN1+kY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Feb 29, 2012 at 11:30:04AM -0500, Jason Hellenthal wrote: >=20 >=20 > On Wed, Feb 29, 2012 at 08:57:16AM +0000, Anton Shterenlikht wrote: > > On Wed, Feb 29, 2012 at 02:24:58AM -0500, Jason Hellenthal wrote: > > >=20 > > >=20 > > > On Tue, Feb 28, 2012 at 04:24:47PM +0000, Anton Shterenlikht wrote: > > > > On Tue, Feb 28, 2012 at 03:07:43PM +0000, jb wrote: > > > > > Anton Shterenlikht <mexas <at> bristol.ac.uk> writes: > > > > >=20 > > > > > >=20 > > > > > > This was discussed in questions@ with no resolution. > > > > > > Anybody here can advise further? > > > > > > ... > > > > >=20 > > > > > Regarding file .seq or .SEQ > > > > >=20 > > > > > It is an intermediate-processing (run-time) lockfile found in var= ious spool=20 > > > > > dirs and their sub-dirs, like > > > > > /var/spool/cron/ > > > > > /at, > > > > > /lpd, etc. > > > > > It is used to save job# by the respective programs (cron, at, etc= ). > > > > > You can find a ref to .SEQ in file at.c in at port sources. > > > > > I did not see ref to .seq in lpr or cron port sources. > > > > >=20 > > > > > The periodic security check=20 > > > > > /etc/periodic/security/110.neggrpperm > > > > > checks for risque condition like > > > > > ! -perm +010 -and -perm +001 > > > > >=20 > > > > > The file should not be executable, according to its purpose. > > > > >=20 > > > > > So the lpr.c should be changed from > > > > > if ((fd =3D open(buf, O_RDWR|O_CREAT, 0661)) < 0) { > > > > > to > > > > > if ((fd =3D open(buf, O_RDWR|O_CREAT, 0660)) < 0) { > > > > >=20 > > > > > File a bug report. > > > >=20 > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=3Dkern/165533 > > >=20 > > > The only thing that is wrong here is the misconception of negative > > > permissions. This bit of code tracks all the way back to 4.3BSD and > > > probably further while LPR dates back to 3BSD. Nobody programs 661 fo= r no > > > reason and changing that code will most likely have a negative impact > > > and I do not see that as a real answer to this problem. > > >=20 > > > Above I see your .seq file created 0641 so not only do you have a > > > negative permission on the file you are also missing a bit ;). You mi= ght > > > want to review some of your other permissions to see if anything is > > > missing. That has been explained all over the net for the differences > > > of x86 & x86_64 systems. > >=20 > > To the best of my knowledge the security warning started > > to appear recently. For the previous 2 years or so I haven't > > seen it. Now, I didn't modify the default security scripts, > > nor the lpd system. The file is created with this permissions > > because the OS created it like this, not me. I've no idea > > why my file is 0641 instead of 0661. > >=20 > > So, given that the lpr.c hasn't changed for years, > > perhaps the periodic scripts have, and what was > > earlier considered fine now is considered serious enough > > to issue a security warning. > >=20 > > In any case, it seems either lpr.c needs to be changed, > > or if 0661 is necessary, then the periodic sripts need to > > be changed to ignore this file. > >=20 >=20 > Maybe brooks could give some more insight on this. >=20 > ------------------------------------------------------------------------ > r215213 | brooks | 2010-11-12 19:40:43 -0500 (Fri, 12 Nov 2010) | 7 > lines >=20 > Add an (off by default) check for negative permissions (where the > group on a object has less permissions that everyone). These > permissions will not work reliably over NFS if you have more than > 14 supplemental groups and are usually not what you mean. >=20 > MFC after: 1 week Reading over the thread I concur with Ian's analysis than a solitary world execute bit on a file does nothing useful and is likely a typo. Unless someone demonstrates otherwise lpr should be updated. The check was added because I know some FreeBSD consumers have relied on the historical behavior of negative group permissions to deny access to a particular group of users. In FreeBSD > 8.0 you can not rely on this behavior on NFS volumes because some groups may be excluded from the list of groups NFS sees and thus evaluates for access decisions. The use of negative permissions is "safe" if you don't use NFS or only use NFS v4 with GSSAPI. In either case you can to turn this check off. In an ideal world I'd make chmod(2) refuse to set negative permissions, but I suspect that would be too disruptive a change. -- Brooks --4Ckj6UjgE2iN1+kY Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFPTwe/XY6L6fI4GtQRAjaMAKDRb00z5MIUnkySZt4DLite6nSsZACdH0aN bLAHoqtTP2OACqdcNRv+xe0= =K2zV -----END PGP SIGNATURE----- --4Ckj6UjgE2iN1+kY--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120301052311.GA61926>