Bug 1218107 - AUDIT-WHITELIST: cronie: cron job script /etc/cron.hourly/0anacron changed in content
Summary: AUDIT-WHITELIST: cronie: cron job script /etc/cron.hourly/0anacron changed in...
Status: RESOLVED FIXED
Alias: None
Product: openSUSE Tumbleweed
Classification: openSUSE
Component: Security (show other bugs)
Version: Current
Hardware: Other Other
: P5 - None : Normal (vote)
Target Milestone: ---
Assignee: Matthias Gerstner
QA Contact: E-mail List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2023-12-15 13:43 UTC by Ana Guerrero
Modified: 2024-02-19 13:00 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Ana Guerrero 2023-12-15 13:43:35 UTC 
Looks like cronie needs an update (ref https://build.opensuse.org/request/show/1127725 )

Thank you!

[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.d
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.daily
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.hourly
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.monthly
[   15s] cron.x86_64: W: permissions-dir-without-slash /etc/cron.weekly
[   15s] the entry in the permissions file refers to a directory. Please contact
[   15s] security@suse.de to append a slash to the entry in order to avoid security
[   15s] problems. Please refer to
[   15s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   15s] more information.


[   15s] 
[   15s] cronie-anacron.x86_64: E: cron-file-digest-mismatch (Badness: 10000) /etc/cron.hourly/0anacron expected sha256:aa129d2165f669770b20d20fe5d826f242a069a8f9fc2323333b91d0c9ca40c9, has:884c2929d912e2c3ebdffee63159d922fc539c9a83643cc0fea809ced69e9fb3
[   15s] cronie-anacron.x86_64: E: cron-file-digest-mismatch (Badness: 10000) /etc/cron.hourly/0anacron expected sha256:6e8a152a16e84ddc10e8ab1c2ed2bad28adbfc3b0b1ced62518c4ab0ada87220, has:884c2929d912e2c3ebdffee63159d922fc539c9a83643cc0fea809ced69e9fb3
[   15s] A whitelisted cron job related file changed in content. Packaging cron jobs
[   15s] requires a review and whitelisting by the SUSE security team. If the package
[   15s] is intended for inclusion in any SUSE product please open a bug report to
[   15s] request review of the package by the security team. Please refer to
[   15s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for
[   15s] more information.
Comment 1 Matthias Gerstner 2023-12-15 14:49:19 UTC 
Thank you for opening the audit bug.

With the new package a small diff resulted in the cron.hourly/0anacron script.
Mainly it is now possible to override the behaviour of not running anacron
when the system is on battery power.

This requires no big review, we will adapt the whitelisting.

The warnings in comment 0 regarding permissions-dir-without-slash should also
be addressed while we're at it.
Comment 2 Matthias Gerstner 2023-12-15 15:05:14 UTC 
It seems there is something wrong in the rpmlint's SUIDPermissionsCheck. The
warning permissions-dir-without-slash is bogus. The entries in the permissions
profiles do have a trailing slash. We will have to investigate this.
Comment 3 Matthias Gerstner 2023-12-20 13:45:24 UTC 
I found the reason for the bugy permissions-dir-without-slash reporting. This
rpmlint check will be fixed.

The whitelisting for the new anacron script is also prepared.
Comment 4 Matthias Gerstner 2023-12-28 11:21:26 UTC 
the new whitelisting is now in Factory and the buggy
permissions-dir-without-slash warning should also be gone now.

closing as fixed.