[arch-commits] Commit in fcron/trunk (PKGBUILD fcron.install)

Sébastien Luttringer seblu at nymeria.archlinux.org
Wed Aug 28 15:03:56 UTC 2013 

    Date: Wednesday, August 28, 2013 @ 17:03:56
  Author: seblu
Revision: 96422

upgpkg: fcron 3.1.2-8

Fix distro specific security breach in fcron.
Thanks to Anh K. Huynh <kyanh at theslinux.org> for his quiet report.

Modified:
  fcron/trunk/PKGBUILD
  fcron/trunk/fcron.install

---------------+
 PKGBUILD      |   23 +++++++++++++----------
 fcron.install |   31 +++++++++++++++++++++++++++++++
 2 files changed, 44 insertions(+), 10 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2013-08-28 11:35:15 UTC (rev 96421)
+++ PKGBUILD	2013-08-28 15:03:56 UTC (rev 96422)
@@ -7,13 +7,17 @@
 
 pkgname=fcron
 pkgver=3.1.2
-pkgrel=7
+pkgrel=8
 pkgdesc='Feature-rich cron implementation'
 arch=(i686 x86_64)
 url='http://fcron.free.fr'
 license=('GPL')
 depends=('pam' 'run-parts')
-makedepends=('smtp-forwarder' 'vi')
+makedepends=('smtp-forwarder' 'vi' 'fcron')
+# use fcron as recursive deps to have user fcron installed during installation
+# else add the following in build chroot
+# groupadd -g 23 fcron
+# useradd -r -d /var/spool/fcron -u 23 -g 23 fcron
 optdepends=('smtp-forwarder: to send mails from cron jobs'
             'vi: default editor for fcrontab')
 provides=('cron')
@@ -30,13 +34,14 @@
 
 build() {
   cd $pkgname-$pkgver
+  # Don't use --username=root and --groupname=root, this completly break
+  # fcron security and allow local root escalation.
+  # Thanks to Anh K. Huynh <kyanh at theslinux.org> for reporting it.
   ./configure --prefix=/usr \
               --sbindir=/usr/bin \
               --sysconfdir=/etc/fcron \
               --with-answer-all=no \
               --with-boot-install=no \
-              --with-username=root \
-              --with-groupname=root \
               --datarootdir=/usr/share \
               --datadir=/usr/share \
               --with-docdir=/usr/share/doc \
@@ -44,22 +49,20 @@
               --with-systemdsystemunitdir=/usr/lib/systemd/system \
               --with-piddir=/run \
               --with-editor=/usr/bin/vi \
-              --with-sendmail=/usr/sbin/sendmail
+              --with-sendmail=/usr/bin/sendmail
   make
 }
 
 package() {
   cd $pkgname-$pkgver
-
   make DESTDIR="$pkgdir/" install
-  install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcron.pam" "$pkgdir/etc/pam.d/fcron"
+  install -Dm644 files/fcron.pam "$pkgdir/etc/pam.d/fcron"
+  install -Dm644 files/fcrontab.pam "$pkgdir/etc/pam.d/fcrontab"
 
-  install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcrontab.pam" "$pkgdir/etc/pam.d/fcrontab"
-
   # Install a default fcrontab so that fcron can completely replace dcron
   # We doesn't use binary format which is incompatible between arch and may cause crash
   # We regenerate the binary format at each update
-  install -D -m640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig"
+  install -Dm640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig"
 
   # Add cron.* directories
   install -d -m755 "$pkgdir/etc/cron.daily"

Modified: fcron.install
===================================================================
--- fcron.install	2013-08-28 11:35:15 UTC (rev 96421)
+++ fcron.install	2013-08-28 15:03:56 UTC (rev 96422)
@@ -1,5 +1,8 @@
 # arg 1:  the new package version
 post_install() {
+  # we need a dedicated fcron user
+  getent group fcron >/dev/null || groupadd -g 23 fcron
+  getent passwd fcron >/dev/null || useradd -r -d /var/spool/fcron -u 23 -g 23 fcron
   # Generate binary format which is incompatible between arch
   fcrontab -z -u systab &>/dev/null
 }
@@ -8,6 +11,34 @@
 # arg 2:  the old package version
 post_upgrade() {
   post_install "$1"
+  if (( $(vercmp $2 3.1.2-8) < 0 )); then
+    echo 'Previous versions of fcron allow root priviledge escalation by using'
+    echo 'runas option in crontabs. fcron check rights at crontab compilation.'
+    echo 'Thus, the migration script will recreate the binary crontabs'
+    echo 'for you (with all side effects) and fix the files rights.'
+    # fix invalid etc files
+    for _f in /etc/fcron/fcron.{conf,allow,deny}; do
+      [[ -e $_f ]] || continue
+      chown root:fcron "$_f"
+      chmod 640 "$_f"
+    done
+    # fix invalid spool directory
+    chown fcron:fcron /var/spool/fcron
+    chmod 770 /var/spool/fcron
+    # regen user fcron files
+    cd /var/spool/fcron
+    for _f in *; do
+      if [[ "${_f%.orig}" != "$_f" ]]; then
+        chgrp fcron "$_f"
+        fcrontab -z -u "${_f%.orig}" &>/dev/null
+      fi
+    done
+  fi
 }
 
+post_remove() {
+  userdel fcron &>/dev/null
+  groupdel fcron &>/dev/null
+}
+
 # vim:set ts=2 sw=2 et:

More information about the arch-commits mailing list