Bug 373654

Summary:	PERMISSION_SECURITY set to secure by default
Product:	[openSUSE] openSUSE 11.0	Reporter:	Ciaran Farrell <ciaran.farrell>
Component:	Installation	Assignee:	Jiří Suchomel <jsuchome>
Status:	RESOLVED FIXED	QA Contact:	Jiri Srain <jsrain>
Severity:	Normal
Priority:	P5 - None	CC:	coolo, felix, fnmueller, joop, jsuchome, lnussel, zaitor
Version:	Factory
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---
Attachments:	y2logs from my laptop 11.0 install

Description Ciaran Farrell 2008-03-25 15:44:25 UTC

Is this a new security feature?

cfarrell@paddy:~> crontab -e
bash: /usr/bin/crontab: Permission denied
cfarrell@paddy:~>



cfarrell@paddy:~> uname -a
Linux paddy 2.6.25-rc5-git3-6-pae #1 SMP 2008-03-14 16:14:49 +0100 i686 i686 i386 GNU/Linux
cfarrell@paddy:~> 

cfarrell@paddy:~> ls -la /usr/bin/crontab 
-rwsr-x--- 1 root trusted 35216 2008-03-15 16:12 /usr/bin/crontab
cfarrell@paddy:~>

Comment 1 Juergen Weigert 2008-03-25 15:49:18 UTC

$ getfacl /usr/bin/crontab
getfacl: Removing leading '/' from absolute path names
# file: usr/bin/crontab
# owner: root
# group: trusted
user::rwx
group::r-x
other::---



This is a regression. In 10.3 /usr/bin/crontab was user-callable:
-rwsr-xr-x 1 root trusted 40672 Sep 21  2007 /usr/bin/crontab

Comment 2 Matthias Koenig 2008-04-02 13:27:57 UTC

This depends on the permissions file you use:

# grep "/usr/bin/crontab" /etc/permissions*
/etc/permissions.easy:/usr/bin/crontab              root:trusted      4755
/etc/permissions.paranoid:/usr/bin/crontab          root:trusted      0755
/etc/permissions.secure:/usr/bin/crontab            root:trusted      4750

Maybe our default changed?
Reassigning to Ludwig.

Comment 3 Ludwig Nussel 2008-04-02 13:30:52 UTC

maybe factory installs with 'secure' as default. No idea whether that's intended or not.

Comment 4 Juergen Weigert 2008-04-02 16:39:56 UTC

If we changed to paranoid without intent, then this is a bug as it should not have happened.
If we changed to paranoid with intent, then it is a bug not to communicate such a change.

What is our default permission setting for 11.0?

Comment 5 Juergen Weigert 2008-04-02 16:52:31 UTC

Is there any documentation what the purpose of group 'trusted' is?
The 4750 setting only makes sense, if the group is used.

Comment 6 Ludwig Nussel 2008-04-03 06:48:24 UTC

from /etc/permissions.secure:
# system administrator for advice. In many cases, adding a user to the 
# "trusted" group gives her access to the resources that are not accessible
# any more if the admin chose to select "secure" as the permissions default.

I don't think changing the default to secure was intended. The default is not set by the permissions package though but some policy file for yast I think. Reassignig to coolo as he has to decide what permissions level he wants for openSUSE.

Comment 7 Stephan Kulow 2008-04-03 07:16:31 UTC

what exactly did you install? do you have log files?

we surely did not change the default.

Comment 8 Ciaran Farrell 2008-04-03 07:28:09 UTC

(In reply to comment #7 from Stephan Kulow)
> what exactly did you install? do you have log files?
> 
> we surely did not change the default.
> 

I did the same as what I always do:

./suse/lnussel/bin/setupgrubfornfsinstall -> SLP scan -> FTP openSUSE 11.0 Build 55 DVD

I used the default new installation and changed nothing.

Comment 9 Stephan Kulow 2008-04-03 07:58:28 UTC

you forgot the log files - /var/log/YaST?

Comment 10 Ludwig Nussel 2008-04-03 08:08:54 UTC

Wild guess, if the default didn't change could it be that SuSEconfig was not run?
If this command:
$ grep SECU /etc/sysconfig/security

says "easy local" it probably wasn't.

Comment 11 Ciaran Farrell 2008-04-03 08:12:10 UTC

Sorry. Log files futsch because I re-installed 10.3.

Comment 12 Stephan Kulow 2008-04-03 08:37:40 UTC

ok, then this is a dead end. See you next time :)

Comment 13 Juergen Weigert 2008-04-03 14:41:13 UTC

wait. Dead End for Ciaran only. 

I claim, it can be reproduces with 
each and every 11.0 installation.
I also tested build55.
y2logs appended.

Comment 14 Juergen Weigert 2008-04-03 14:45:29 UTC

Created attachment 206063 [details]
y2logs from my laptop 11.0 install

Comment 15 Stephan Kulow 2008-04-03 15:05:09 UTC

could you please then answer #10?

Comment 16 Juergen Weigert 2008-04-03 15:14:17 UTC

The answer is yes.

in 11.0 /etc/sysconfig/security contains
PERMISSION_SECURITY="secure local"

in 10.3 it contained
PERMISSION_SECURITY="easy local"

Comment 17 Lukas Ocilka 2008-04-04 16:01:40 UTC

yast2-security: jsuchome

Comment 18 Jiří Suchomel 2008-04-07 08:37:02 UTC

Why is this on YaST? YaST is not responsible for /etc/sysconfig/security

Comment 19 Jiří Suchomel 2008-04-07 09:13:40 UTC

... but it may be a bug in yast2-users, during second-stage write of root/first user.

Comment 20 Jiří Suchomel 2008-04-07 11:41:11 UTC

I found some problem in yast2-users (yast2-users-2.16.23), but I wasn't able to reproduce reported behavior. I hope it will fix the problem, please test again with next Alpha/Beta release.

Comment 21 Jiří Suchomel 2008-04-10 13:40:59 UTC

*** Bug 376819 has been marked as a duplicate of this bug. ***

Comment 22 Ludwig Nussel 2008-04-14 07:56:12 UTC

*** Bug 379373 has been marked as a duplicate of this bug. ***

Comment 23 Felix Möller 2008-04-22 15:01:53 UTC

*** Bug 375155 has been marked as a duplicate of this bug. ***

Comment 24 Helmut Schaa 2008-09-08 11:50:41 UTC

*** Bug 420995 has been marked as a duplicate of this bug. ***