|
Bugzilla – Full Text Bug Listing |
| Summary: | sudo rpm reports wrong permissions in /var/lib/sudo directory | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Distribution | Reporter: | Markos Chandras <mchandras> |
| Component: | Security | Assignee: | Kristyna Streitova <kstreitova> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | matthias.gerstner |
| Version: | Leap 15.0 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Markos Chandras
2018-06-14 11:00:27 UTC
For the record, permissions of those directories on Leap15 after sudo install:
drwx--x--x 4 root root 4.0K 2. Mai 12:43 /var/lib/sudo
drwx------ 2 root root 4.0K 6. Jun 09:33 /var/lib/sudo/ts
Permissions of those directories after "fixing" perms with rpm:
drwx------ 4 root root 4.0K 2. Mai 12:43 /var/lib/sudo
d--------- 2 root root 4.0K 6. Jun 09:33 /var/lib/sudo/ts
I am not sure why rpm thinks that /var/lib/sudo/ts has wrong permissions. In
the sudo spec file the ts directory is %ghost'ed. /var/lib/sudo on the other
hand is explicitly assigned permissions in the spec file:
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
The original permissions after package install seem correct to me. The ts
directory without any bits set is most certainly wrong.
The reason why sudo stops working after "fixing" permissions with rpm is that
the setuid bit is missing. You can reset it by calling `chkstat --system`
(but be careful, this could also reset other permissions you are not aware
of).
Anyways I don't see a security issue here. I am assigning this to the sudo
maintainer for further handling.
This bug is a duplicate of bug 1096050 which is related to bug 1096072 (FIPS mode is unexpectedly activated). Please see the details there. *** This bug has been marked as a duplicate of bug 1096050 *** (In reply to Kristyna Streitova from comment #2) > *** This bug has been marked as a duplicate of bug 1096050 *** After a further research, it seems that this bug is not a duplicate of bugs 1096050 and 1096072. The problem is wrong permissions for /var/lib/sudo and /var/lib/sudo/ts. These directories are created by sudo with permissions 711 and 700 so we should respect it in specfile even it's %ghost'ed. I will create submissions with the fix. (In reply to Markos Chandras from comment #0) > Attempting to fix this with 'rpm --setperms sudo' and 'rpm --setugids sudo' > results to a broken sudo As Matthias said, the reason is that the setuid bit is missing. That's caused by "rpm --setugids sudo" call. It's an expectable result as rpm manpage says: "rpm --setugids PACKAGE_NAME sets user/group ownership of files in the given package. This command can change permissions of files in that package. It is caused by calling command chmod that can clear SUID and SGID bits in some situations. So it is safer to call also --setperms after calling --setugids." > Leap 42.3 is fine so it seems like a regressions to me. The reason why "rpm -V sudo" for openSUSE:Leap 42.3 didn't show any changes is that rpm never verified %ghost files. This functionality was recently added. Submitted for openSUSE:Factory (sr#636863) and SLE15 (mr#172522). When it's released for SLE15 the fix will appear in openSUSE:Leap:15.0:Update. I'm closing this as fixed. SUSE-RU-2018:3009-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 1097643 CVE References: Sources used: SUSE Linux Enterprise Module for Basesystem 15 (src): sudo-1.8.22-4.3.3 openSUSE-RU-2018:3039-1: An update that has one recommended fix can now be installed. Category: recommended (low) Bug References: 1097643 CVE References: Sources used: openSUSE Leap 15.0 (src): sudo-1.8.22-lp150.3.3.1 |