Bug 1219339

Summary: AUDIT-0: sendmail: permissions config path changed
Product: [openSUSE] openSUSE Tumbleweed Reporter: Dr. Werner Fink <werner>
Component: SecurityAssignee: Wolfgang Frisch <wolfgang.frisch>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: ana.guerrero, dimstar, wolfgang.frisch
Version: Current   
Target Milestone: ---   
Hardware: All   
OS: openSUSE Tumbleweed   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dr. Werner Fink 2024-01-30 09:09:27 UTC 
The  binary /usr/sbin/sendmail of package sendmail has to be owned by root:mail and the set group identity bit has to set aka


  werner/sendmail> ll /usr/sbin/sendmail
  -r-xr-sr-x 1 root mail 893656 Oct  9 10:55 /usr/sbin/sendmail

this ensures that sendmail can mail handle in offline enqueue
Comment 1 Wolfgang Frisch 2024-01-30 09:11:36 UTC 
Thanks for opening this bug report.
We will schedule it in our team shortly.
Comment 2 Wolfgang Frisch 2024-01-30 09:13:45 UTC 
Context: https://build.opensuse.org/request/show/1142725

> [  112s] sendmail.x86_64: E: permissions-file-setuid-bit (Badness: 10000) /usr/sbin/sendmail is packaged with setuid/setgid bits (02555)
> [  112s] Packaging setuid/setgid binaries requires a review and whitelisting by the
> [  112s] SUSE security team. If the package is intended for inclusion in any SUSE
> [  112s] product please open a bug report to request review of the package by the
> [  112s] security team. Please refer to
> [  112s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
> [  112s] more information.
Comment 3 Dr. Werner Fink 2024-01-30 10:40:27 UTC 
Ah ... to be noted:  I've only removed the trailing / from the directories specified to the chkstat command as otherwise this command does not find the directories in the permissions files anymore (even if the trailing / are used there).  Also move from /etc/permissions.d/ is required to usr move
Comment 4 Dominique Leuenberger 2024-01-30 11:02:00 UTC 
Packaging bug identified: sendmail moved the dropins from /etc/permissions.d to /usr/share/permissions instead of /usr/share/permissions/permissions.d


The actual rpmlint issue to be addressed should be

[   92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>)
[   92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>)
Comment 5 Dr. Werner Fink 2024-01-30 11:32:31 UTC 
(In reply to Dominique Leuenberger from comment #4)
> Packaging bug identified: sendmail moved the dropins from /etc/permissions.d
> to /usr/share/permissions instead of /usr/share/permissions/permissions.d
> 
> 
> The actual rpmlint issue to be addressed should be
> 
> [   92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10)
> /usr/share/permissions/permissions.d/sendmail (sha256 file digest default
> filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486
> shell
> filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml
> filter:<failed-to-calculate>)
> [   92s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10)
> /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest
> default
> filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c
> shell
> filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml
> filter:<failed-to-calculate>)

OK ... will resolve this
Comment 6 Dr. Werner Fink 2024-01-30 11:33:27 UTC 
Do we have a default owner of /usr/share/permissions/permissions.d

rpm -qf /usr/share/permissions/permissions.d
file /usr/share/permissions/permissions.d is not owned by any package
Comment 7 Dr. Werner Fink 2024-01-30 11:44:16 UTC 
Now I see

[   60s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>)
[   60s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>)
Comment 8 Ana Guerrero 2024-01-30 11:58:14 UTC 
Badness increases in staging:)


[  103s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10000) /usr/share/permissions/permissions.d/sendmail.paranoid (sha256 file digest default filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c shell filter:2d5c56cdfb00ec169c182de791cf2934331159842f1849c5f2d7059f0086bd2c xml filter:<failed-to-calculate>)
[  103s] sendmail.x86_64: E: permissions-file-unauthorized (Badness: 10000) /usr/share/permissions/permissions.d/sendmail (sha256 file digest default filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 shell filter:e09ca5efebd0b3c123afc2364f9745f4d85c4327fa83f709bccbaa64da764486 xml filter:<failed-to-calculate>)
[  103s] Packaging permissions.d drop-in snippets requires a review and whitelisting by
[  103s] the SUSE security team. If the package is intended for inclusion in any SUSE
[  103s] product please open a bug report to request review of the package by the
[  103s] security team. Please refer to
[  103s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[  103s] more information.
[  103s]
Comment 9 Dominique Leuenberger 2024-01-30 12:03:13 UTC 
(In reply to Ana Guerrero from comment #8)
> Badness increases in staging:)

That part is intentional: devel projects don't build against rpmlint-strict in order to be able to test the packages by the devs prior to having all sec audits passed

(In reply to Dr. Werner Fink from comment #6)
> Do we have a default owner of /usr/share/permissions/permissions.d
> 
> rpm -qf /usr/share/permissions/permissions.d
> file /usr/share/permissions/permissions.d is not owned by any package

Not yet it seems. Would make to have the base directory owned by permissions too. So that packages can just put their files in place.
Comment 10 Wolfgang Frisch 2024-01-30 12:21:20 UTC 
@dimstar: Thanks for helping out with this.

Since the permissions.d hashes haven't changed, I started an rpmlint update right away. It will take a while until it hits Factory though.

https://github.com/rpm-software-management/rpmlint/pull/1178
Comment 11 Dominique Leuenberger 2024-01-30 12:24:16 UTC 
(In reply to Dominique Leuenberger from comment #9)

> > rpm -qf /usr/share/permissions/permissions.d
> > file /usr/share/permissions/permissions.d is not owned by any package
> 
> Not yet it seems. Would make to have the base directory owned by permissions
> too. So that packages can just put their files in place.

For this part I propose https://build.opensuse.org/request/show/1142770

@Wolfgang: ok like this or you rather prefer the makefile of permissions to create the dir and it being packaged regularly?
Comment 12 Wolfgang Frisch 2024-01-30 12:45:31 UTC 
(In reply to Dominique Leuenberger from comment #11)
> (In reply to Dominique Leuenberger from comment #9)
> 
> > > rpm -qf /usr/share/permissions/permissions.d
> > > file /usr/share/permissions/permissions.d is not owned by any package
> > 
> > Not yet it seems. Would make to have the base directory owned by permissions
> > too. So that packages can just put their files in place.
> 
> For this part I propose https://build.opensuse.org/request/show/1142770
> 
> @Wolfgang: ok like this or you rather prefer the makefile of permissions to
> create the dir and it being packaged regularly?

Looks good to me! I will get confirmation from the team just to be sure, but I don't expect any opposition and will likely accept the request very soon.
Comment 13 OBSbugzilla Bot 2024-01-30 13:35:06 UTC 
This is an autogenerated message for OBS integration:
This bug (1219339) was mentioned in
https://build.opensuse.org/request/show/1142755 Factory / sendmail
Comment 14 Wolfgang Frisch 2024-01-30 16:18:28 UTC 
rpmlint update on its way
https://build.opensuse.org/request/show/1142790
Comment 15 Wolfgang Frisch 2024-01-31 12:59:32 UTC 
A follow-up submission for rpmlint is in Factory staging,
along with sendmail. Should be fine now.
https://build.opensuse.org/request/show/1143021
https://build.opensuse.org/project/show/openSUSE:Factory:Staging:I
Comment 16 OBSbugzilla Bot 2024-02-01 11:35:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1219339) was mentioned in
https://build.opensuse.org/request/show/1143293 Factory / rpmlint
Comment 18 Wolfgang Frisch 2024-02-28 10:45:04 UTC 
Released