Bug 1218107

Summary: AUDIT-WHITELIST: cronie: cron job script /etc/cron.hourly/0anacron changed in content
Product: [openSUSE] openSUSE Tumbleweed Reporter: Ana Guerrero <ana.guerrero>
Component: SecurityAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None    
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Ana Guerrero 2023-12-15 13:43:35 UTC 
Looks like cronie needs an update (ref https://build.opensuse.org/request/show/1127725 )

Thank you!

[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.d
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.daily
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.hourly
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.monthly
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.weekly
[   15s] the entry in the permissions file refers to a directory. Please contact
[   15s] security@suse.de to append a slash to the entry in order to avoid security
[   15s] problems. Please refer to
[   15s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   15s] more information.


[   15s] 
[   15s] cronie-anacron.x86_64: E: cron-file-digest-mismatch (Badness: 10000) /etc/cron.hourly/0anacron expected sha256:aa129d2165f669770b20d20fe5d826f242a069a8f9fc2323333b91d0c9ca40c9, has:884c2929d912e2c3ebdffee63159d922fc539c9a83643cc0fea809ced69e9fb3
[   15s] cronie-anacron.x86_64: E: cron-file-digest-mismatch (Badness: 10000) /etc/cron.hourly/0anacron expected sha256:6e8a152a16e84ddc10e8ab1c2ed2bad28adbfc3b0b1ced62518c4ab0ada87220, has:884c2929d912e2c3ebdffee63159d922fc539c9a83643cc0fea809ced69e9fb3
[   15s] A whitelisted cron job related file changed in content. Packaging cron jobs
[   15s] requires a review and whitelisting by the SUSE security team. If the package
[   15s] is intended for inclusion in any SUSE product please open a bug report to
[   15s] request review of the package by the security team. Please refer to
[   15s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   15s] more information.
Comment 1 Matthias Gerstner 2023-12-15 14:49:19 UTC 
Thank you for opening the audit bug.

With the new package a small diff resulted in the cron.hourly/0anacron script.
Mainly it is now possible to override the behaviour of not running anacron
when the system is on battery power.

This requires no big review, we will adapt the whitelisting.

The warnings in comment 0 regarding permissions-dir-without-slash should also
be addressed while we're at it.
Comment 2 Matthias Gerstner 2023-12-15 15:05:14 UTC 
It seems there is something wrong in the rpmlint's SUIDPermissionsCheck. The
warning permissions-dir-without-slash is bogus. The entries in the permissions
profiles do have a trailing slash. We will have to investigate this.
Comment 3 Matthias Gerstner 2023-12-20 13:45:24 UTC 
I found the reason for the bugy permissions-dir-without-slash reporting. This
rpmlint check will be fixed.

The whitelisting for the new anacron script is also prepared.
Comment 4 Matthias Gerstner 2023-12-28 11:21:26 UTC 
the new whitelisting is now in Factory and the buggy
permissions-dir-without-slash warning should also be gone now.

closing as fixed.