negative group permissions?
Trond Endrestøl
Trond.Endrestol at fagskolen.gjovik.no
Fri Feb 24 13:42:07 UTC 2012
On Fri, 24 Feb 2012 12:54-0000, Anton Shterenlikht wrote:
> On Fri, Feb 24, 2012 at 09:34:02AM +0000, Matthew Seaman wrote:
> > On 24/02/2012 09:08, Anton Shterenlikht wrote:
> > > Recently I started seeing this line
> > > in daily security output:
> > >
> > > Checking negative group permissions:
> > > 70834 -rw-r----x 1 root daemon 4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq
> > >
> > > I've a parallel printer attached to
> > > a 9.9-CURRENT #2 r230787M box.
> > >
> > > What does it mean?
> >
> > This means that non-root users in group daemon have only read
> > permissions on that file. Users that aren't root and that aren't in
> > group daemon have execute permission only.
> >
> > It does look a bit odd, and I believe that file would just contain a job
> > number (IIRC -- haven't dealt much with lpd or lprng much recently)
> > so executing it doesn't really achieve anything.
> >
> > This is the standard idiom to allow access for 'everyone, except members
> > of a particular group.'
>
> yes, I get this.
>
>
> > One way you can get weird permissions is if you happen to use decimal
> > for permissions bitmaps rather than octal. A umask of '77' is not the
> > same thing at all as a umask of '077'. (It's effectively 0115, which
> > doesn't make much sense to me.) Most shells nowadays will assume you
> > mean octal whether you include the leading zero or not: the same is not
> > true if you use umask(2) to set the mask programatically. Ditto for
> > other places you can set permissions like open(2) with O_CREAT or mkdir(2).
>
> # umask
> 0022
> # pwd
> /var/spool/output/lpd
> # ls -al
> total 8
> drwxr-xr-x 2 root daemon 512 Feb 24 12:43 .
> drwxr-xr-x 3 root daemon 512 Mar 9 2010 ..
> -rw-rw-r-- 1 root daemon 41 Feb 21 12:54 lock
> -rw-rw-r-- 1 root daemon 25 Feb 21 12:54 status
> #
>
> Then I print something:
>
> % pwd | lpr
>
> Then this .seq file appears with weird permissions:
>
> # ls -al
> total 10
> drwxr-xr-x 2 root daemon 512 Feb 24 12:46 .
> drwxr-xr-x 3 root daemon 512 Mar 9 2010 ..
> -rw-r----x 1 root daemon 4 Feb 24 12:45 .seq
> -rw-rw-r-- 1 root daemon 41 Feb 24 12:45 lock
> -rw-rw-r-- 1 root daemon 25 Feb 24 12:45 status
> #
>
> # cat .seq
> 001
> #
>
> So presumably lpd(8) created this file, but I'm still
> unsure why permissions are so strange. But interests
> me more, is why I didn't see it until about 1-2 months
> ago? Has something chaged in -current, e.g. in open(2)
> like you suggest? Or has I messed up with my setup?
> Or maybe it was always like this, but the security
> check didn't pick it up?
>
> >
> > > Should I be worried?
> >
> > No more than a normal level of paranoia is indicated here.
Looking at usr.sbin/lpr/lpr/lpr.c at around line 847 (RELENG_9):
(void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
seteuid(euid);
if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
printf("%s: cannot create %s\n", progname, buf);
exit(1);
}
if (flock(fd, LOCK_EX)) {
printf("%s: cannot lock %s\n", progname, buf);
exit(1);
}
It remains a mystery why these files are created with mode 0661. Mode
0660 should be more than sufficient. Maybe it's because of flock(2),
but the manpage for flock(2) does not mention the execute bit at all.
The lpc enable/disable commands seem to affect only the group execute
bit of the lock file.
I haven't found any other source files where .seq files are created
or being used. Feel free to prove me wrong. :D
--
+-------------------------------+------------------------------------+
| Vennlig hilsen, | Best regards, |
| Trond Endrestøl, | Trond Endrestøl, |
| IT-ansvarlig, | System administrator, |
| Fagskolen Innlandet, | Gjøvik Technical College, Norway, |
| tlf. dir. 61 14 54 39, | Office.....: +47 61 14 54 39, |
| tlf. mob. 952 62 567, | Cellular...: +47 952 62 567, |
| sentralbord 61 14 54 00. | Switchboard: +47 61 14 54 00. |
+-------------------------------+------------------------------------+
More information about the freebsd-questions
mailing list