diff options
| author | Colin Watson <cjwatson@debian.org> | 2016-12-09 21:45:32 +0000 |
|---|---|---|
| committer | Colin Watson <cjwatson@debian.org> | 2016-12-10 23:52:04 +0000 |
| commit | 31552334cecee82809059ec598a37d9ea82683f0 (patch) | |
| tree | b0acc92e0b7c002cef4fd862c0b2466533aea31f /m4 | |
| parent | c7f7daa9b2ffbbf4c45a2b168802a51acc2263c0 (diff) | |
Eliminate dangerous setgid-root directories
man-db has created its cache directories as setgid root for nearly 20
years. This seems to have originated in https://bugs.debian.org/26002.
However, this has some dangerous consequences, such as:
http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
It seems best to arrange for cache files and directories to be man:man
rather than man:root. To do this reliably, as well as adjusting various
chown and chmod calls, we make man and mandb be setgid man as well as
setuid man (except in the --disable-setuid case). This is a much
simpler and safer solution to the original problem, and doesn't
introduce any interesting new privilege since the man group's only real
purpose is to be the man user's primary group and nothing in cache
directories is group-writeable.
* configure.ac (AC_CHECK_FUNCS): Add lchown.
* lib/security.c (init_security): Record initial real and effective
group IDs as well as user IDs.
(drop_effective_privs, regain_effective_privs): Update gid.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: New function.
* lib/xchown.c (xlchown) [HAVE_LCHOWN]: Add prototype.
* m4/man-arg-setuid.m4: Set man_mode to 6755 rather than 4755 in the
--enable-setuid case.
* src/Makefile.am (install-exec-hook): Check for man_mode being 6755
rather than 4755. Set the group of man and mandb as well as their
owner.
* src/check_mandirs.c (chown_if_possible): New function. This is
somewhat more careful than previous implementations, changes the group
as well as the user if possible, and prefers lchown if it is available.
(mkcatdirs): Drop S_ISGID from cat directories. Use chown_if_possible.
(fix_permissions, fix_permissions_tree): New functions to remove setgid
bit from existing cat directories.
(testmandirs): Call fix_permissions_tree.
* src/check_mandirs.h (chown_if_possible): Add prototype.
* src/man.c (commit_tmp_cat): Set cat file group as well as owner.
* src/mandb.c (check_chown): Remove.
(do_chown): Stop taking a uid parameter. Use chown_if_possible.
(mandb): Use chown_if_possible for CACHEDIR.TAG. Set ownership and
permissions of CACHEDIR.TAG even if it already exists.
(process_manpath): Set ownership of database files even if they have not
been changed.
Diffstat (limited to 'm4')
| -rw-r--r-- | m4/man-arg-setuid.m4 | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/m4/man-arg-setuid.m4 b/m4/man-arg-setuid.m4 index e544a1ad..2190541e 100644 --- a/m4/man-arg-setuid.m4 +++ b/m4/man-arg-setuid.m4 @@ -13,7 +13,7 @@ AS_HELP_STRING([--disable-setuid], [don't install man setuid])], then AC_MSG_ERROR([--enable-setuid is incompatible with --disable-cache-owner]) fi - man_mode="4755" + man_mode="6755" AC_MSG_NOTICE([Man will be installed setuid $man_owner]) elif test "$enableval" = "no" then @@ -26,7 +26,7 @@ AS_HELP_STRING([--disable-setuid], [don't install man setuid])], then man_mode="755" else - man_mode="4755" + man_mode="6755" fi]) AC_SUBST([man_mode]) ]) |