Date: Wed, 10 Sep 2008 05:11:30 +0900 (JST) From: Yasuhiro KIMURA <yasu@utahime.org> To: FreeBSD-gnats-submit@FreeBSD.org Subject: ports/127255: [PATCH, SECURITY] security/logcheck: fix security concern about instruction in pkg-message Message-ID: <20080909201130.9678A174F2@eastasia.home.utahime.org> Resent-Message-ID: <200809092020.m89KK2NV007741@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 127255 >Category: ports >Synopsis: [PATCH,SECURITY] security/logcheck: fix security concern about instruction in pkg-message >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Sep 09 20:20:02 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Yasuhiro KIMURA >Release: FreeBSD 7.0-RELEASE-p4 i386 >Organization: >Environment: System: FreeBSD xxxx 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Thu Sep 4 11:38:15 JST 2008 xxxx i386 >Description: - Fix security concern about instuction in pkg-message. In pkg-message there is instruction that all log files checked by logcheck should be readable by wheel group. By default, some log files such as /var/log/auth.log or /var/log/security is readable only by root because it may include some sensitive information. So if you want to check these files by logcheck, you are required to make them readable by wheel group user. But primary purpose of wheel group is to limit the users who can get root privilige by using su(1). So it is quite common that some users belong to wheel group. Then let's think of following situation. A user who belongs to wheel group logged in to server and went to lunch forgetting to logout or lock screen. Then someone evil came and found unlocked terminal. If the permission of /var/log/auth.log of /var/log/security is not changed, the evil cannot read them unless he knows root password of the server. But if these files readable by wheel group, he can read these log files simply by displaying them using cat, less, or similar command, and access to sensitive information inside them. So the instructions should be changed so that all log files checked by logcheck should be readable by logcheck group rather than wheel group. - Stop adding user 'logcheck' to wheel group. - Use 915/915 as UID/GID of 'logcheck' user. - Use /var/db/logcheck instead of /var/lib/logcheck because /var/lib is not accessible by non-wheel user. - Use MASTER_SITE_DEBIAN as MASTER_SITES. - Use USE_PERL5 for perl dependency. - Use @dirrmtry in pkg-plist. - Bump PORTREVISION. I think this patch should be committed by asking for portmgr's approval before final package build for 6.4/7.1 is started. >How-To-Repeat: >Fix: --- patch-logcheck begins here --- Index: Makefile =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/Makefile,v retrieving revision 1.22 diff -u -r1.22 Makefile --- Makefile 8 Sep 2008 20:09:59 -0000 1.22 +++ Makefile 9 Sep 2008 18:53:48 -0000 @@ -7,10 +7,10 @@ PORTNAME= logcheck PORTVERSION= 1.2.54 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= security -MASTER_SITES= ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \ - http://ftp.de.debian.org/debian/pool/main/l/logcheck/ +MASTER_SITES= ${MASTER_SITE_DEBIAN} +MASTER_SITE_SUBDIR= pool/main/l/logcheck DISTNAME= ${PORTNAME}_${PORTVERSION} MAINTAINER= glarkin@FreeBSD.org @@ -18,8 +18,8 @@ BUILD_DEPENDS= docbook-to-man:${PORTSDIR}/textproc/docbook-to-man RUN_DEPENDS= lockfile:${PORTSDIR}/mail/procmail \ - bash:${PORTSDIR}/shells/bash \ - perl:${PORTSDIR}/lang/perl5 + bash:${PORTSDIR}/shells/bash +USE_PERL5= yes WRKSRC= ${WRKDIR}/${PORTNAME}-${PORTVERSION} BINMODE= 755 @@ -33,6 +33,9 @@ LOGCHECK_USER= logcheck LOGCHECK_GROUP= ${LOGCHECK_USER} +LOGCHECK_UID= 915 +LOGCHECK_GID= 915 +SUB_LIST+= LOGCHECK_USER=${LOGCHECK_USER} LOGCHECK_GROUP=${LOGCHECK_GROUP} LOGCHECK_UID=${LOGCHECK_UID} LOGCHECK_GID=${LOGCHECK_GID} do-build: ${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \ @@ -46,11 +49,13 @@ ${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin ${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin @PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL - @${INSTALL} -d /var/lib/logcheck + @${INSTALL} -d /var/db/logcheck @${INSTALL} -d /var/run/logcheck - ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck + ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ - /var/lib/logcheck' >> ${TMPPLIST} + /var/db/logcheck' >> ${TMPPLIST} + ${CHMOD} 700 /var/db/logcheck + @${ECHO_CMD} '@exec ${CHMOD} 700 /var/db/logcheck' >> ${TMPPLIST} ${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck @${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \ /var/run/logcheck' >> ${TMPPLIST} Index: pkg-plist =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/pkg-plist,v retrieving revision 1.10 diff -u -r1.10 pkg-plist --- pkg-plist 8 Sep 2008 20:09:59 -0000 1.10 +++ pkg-plist 9 Sep 2008 18:30:10 -0000 @@ -182,7 +182,7 @@ @dirrm %%ETCDIR%%/ignore.d.paranoid @dirrm %%ETCDIR%%/cracking.d @dirrm %%ETCDIR%% -@exec mkdir -p /var/lib/logcheck -@unexec rm -rf /var/lib/logcheck 2> /dev/null || true +@exec mkdir -p /var/db/logcheck +@dirrmtry /var/db/logcheck @exec mkdir -p /var/run/logcheck -@unexec rm -rf /var/run/logcheck 2> /dev/null || true +@dirrmtry /var/run/logcheck Index: files/patch-src__logcheck =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/patch-src__logcheck,v retrieving revision 1.1 diff -u -r1.1 patch-src__logcheck --- files/patch-src__logcheck 7 Sep 2008 01:31:56 -0000 1.1 +++ files/patch-src__logcheck 9 Sep 2008 18:40:54 -0000 @@ -1,5 +1,5 @@ ---- ./src/logcheck.orig 2007-01-16 01:13:27.000000000 -0500 -+++ ./src/logcheck 2008-09-06 19:11:28.000000000 -0400 +--- src/logcheck.orig 2007-01-16 15:13:27.000000000 +0900 ++++ src/logcheck 2008-09-10 03:39:45.000000000 +0900 @@ -1,4 +1,4 @@ -#!/bin/bash +#!/usr/local/bin/bash @@ -32,19 +32,20 @@ # Set the default paths -RULEDIR="/etc/logcheck" -CONFFILE="/etc/logcheck/logcheck.conf" -+RULEDIR="/usr/local/etc/logcheck" -+CONFFILE="/usr/local/etc/logcheck/logcheck.conf" - STATEDIR="/var/lib/logcheck" +-STATEDIR="/var/lib/logcheck" -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles" -LOGFILE_FALLBACK="/var/log/syslog" -LOGTAIL="/usr/sbin/logtail" ++RULEDIR="/usr/local/etc/logcheck" ++CONFFILE="/usr/local/etc/logcheck/logcheck.conf" ++STATEDIR="/var/db/logcheck" +LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles" +LOGFILE_FALLBACK="/var/log/messages" +LOGTAIL="/usr/local/sbin/logtail" CAT="/bin/cat" SYSLOG_SUMMARY="/usr/bin/syslog-summary" -@@ -87,20 +80,15 @@ +@@ -87,26 +80,21 @@ SORTUNIQ=0 SUPPORT_CRACKING_IGNORE=0 SYSLOGSUMMARY=0 @@ -69,6 +70,13 @@ fi if [ -d $TMPDIR ]; then + # Remove the tmp directory + if [ $NOCLEANUP -eq 0 ];then +- cd /var/lib/logcheck ++ cd /var/db/logcheck + debug "cleanup: Removing - $TMPDIR" + rm -r $TMPDIR + else @@ -142,14 +130,9 @@ if [ "$2" = "noclean" ]; then debug "error: Not removing lockfile" Index: files/pkg-deinstall.in =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-deinstall.in,v retrieving revision 1.1 diff -u -r1.1 pkg-deinstall.in --- files/pkg-deinstall.in 7 Sep 2008 01:31:56 -0000 1.1 +++ files/pkg-deinstall.in 9 Sep 2008 18:04:41 -0000 @@ -1,7 +1,7 @@ #!/bin/sh -user="logcheck" -group="logcheck" +user="%%LOGCHECK_USER%%" +group="%%LOGCHECK_GROUP%%" configfiles="logcheck.conf logcheck.logfiles" case $2 in Index: files/pkg-install.in =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-install.in,v retrieving revision 1.1 diff -u -r1.1 pkg-install.in --- files/pkg-install.in 7 Sep 2008 01:31:56 -0000 1.1 +++ files/pkg-install.in 9 Sep 2008 18:30:32 -0000 @@ -1,9 +1,11 @@ #!/bin/sh -user="logcheck" -group="logcheck" +user="%%LOGCHECK_USER%%" +uid="%%LOGCHECK_UID%%" +group="%%LOGCHECK_GROUP%%" +gid="%%LOGCHECK_GID%%" descr="Logcheck system account" -homedir="/var/lib/logcheck" +homedir="/var/db/logcheck" shell="/usr/bin/false" configfiles="logcheck.conf logcheck.logfiles" @@ -12,13 +14,13 @@ if pw group show ${group} > /dev/null 2>&1; then echo "---> You already have a group \"${group}\", so I will use it." else - pw group add "${group}" + pw group add "${group}" -g $gid echo "---> Created group \"${group}\"." fi if pw user show ${user} > /dev/null 2>&1; then echo "---> You already have a user \"${user}\", so I will use it." else - pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel + pw user add -n logcheck -u $uid -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck echo "---> Created user \"${user}\"." fi ;; Index: files/pkg-message.in =================================================================== RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-message.in,v retrieving revision 1.1 diff -u -r1.1 pkg-message.in --- files/pkg-message.in 7 Sep 2008 01:31:56 -0000 1.1 +++ files/pkg-message.in 9 Sep 2008 18:09:14 -0000 @@ -3,7 +3,7 @@ %%PREFIX%%/etc/logcheck/logcheck.logfiles -are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove +are readable to '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf), or remove them from the aforementioned logcheck configuration file. For information on how to write local rulesets see --- patch-logcheck ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20080909201130.9678A174F2>