[gentoo-user] setuid/setgid binaries, man-db security fix

[gentoo-user] setuid/setgid binaries, man-db security fix

[Ian Zimmerman]

This morning I was pointed at [1] (by reading [2]).

As far as I can see there has been no bug report about this in gentoo.
Should I file one now?  It doesn't look like the fix can be easily
backported so probably it will just end up being merged with the rest of
the new version.  But it may be worthwhile to mark it as a security
issue.

More generally, I'm wondering about set*id binaries in gentoo.  If I
don't want/need the particular feature thus provided, can I simply turn
off the set*id bit?  That's what [3] recommends, but what about
upgrades?  When a new version of the package is emerged, will the set*id
bit be turned back on?  Will I have to remember turning it off forever?
dpkg has a feature (dpkg-statoverride) where a local admin can force
permissions on files shipped in packages, and such overrides "stick"
even across upgrades.  Is there anything similar for gentoo?

[1]
https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html

[2]
http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html

[3]
https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html

Re: [gentoo-user] setuid/setgid binaries, man-db security fix

[John Covici]

On Mon, 12 Dec 2016 17:46:31 -0500,
Ian Zimmerman wrote:
> 
> This morning I was pointed at [1] (by reading [2]).
> 
> As far as I can see there has been no bug report about this in gentoo.
> Should I file one now?  It doesn't look like the fix can be easily
> backported so probably it will just end up being merged with the rest of
> the new version.  But it may be worthwhile to mark it as a security
> issue.
> 
> More generally, I'm wondering about set*id binaries in gentoo.  If I
> don't want/need the particular feature thus provided, can I simply turn
> off the set*id bit?  That's what [3] recommends, but what about
> upgrades?  When a new version of the package is emerged, will the set*id
> bit be turned back on?  Will I have to remember turning it off forever?
> dpkg has a feature (dpkg-statoverride) where a local admin can force
> permissions on files shipped in packages, and such overrides "stick"
> even across upgrades.  Is there anything similar for gentoo?
> 
> [1]
> https://lists.nongnu.org/archive/html/man-db-announce/2016-12/msg00000.html
> 
> [2]
> http://www.chiark.greenend.org.uk/~cjwatson/blog/cve-2015-1336.html
> 
> [3]
> https://wiki.gentoo.org/wiki/Security_Handbook/File_permissions
> 

I suppose you could automatically run a shell script in the post
installation phase to fix the permissions.  I need to do the opposite
for one of the sendmail binaries.

-- 
Your life is like a penny.  You're going to lose it.  The question is:
How do
you spend it?

         John Covici
         covici@ccs.covici.com

Re: [gentoo-user] setuid/setgid binaries, man-db security fix

[Jeremi Piotrowski]

On Mon, Dec 12, 2016 at 02:46:31PM -0800, Ian Zimmerman wrote:
> More generally, I'm wondering about set*id binaries in gentoo.  If I
> don't want/need the particular feature thus provided, can I simply turn
> off the set*id bit?  

Most of the time packages will not work correctly (as defined by upstream)
and will require you to run them as root explicitly (e.g. through sudo). 

But maybe the right solution for you is to mount your root partition
nosuid. You could see how that works out first before doing anything more
permanent - or maybe that will be enough.

[gentoo-user] Re: setuid/setgid binaries, man-db security fix

[Ian Zimmerman]

On 2016-12-13 08:20, Jeremi Piotrowski wrote:

> > More generally, I'm wondering about set*id binaries in gentoo.  If I
> > don't want/need the particular feature thus provided, can I simply
> > turn off the set*id bit?
> 
> Most of the time packages will not work correctly (as defined by
> upstream) and will require you to run them as root explicitly
> (e.g. through sudo).

Returning to the special case of man-db package, both man and mandb seem
to run fine as normal non-suid binaries (after I also changed the perms
on /var/cache/man to the normal root:root, 644/755).

I reported the bug:

https://bugs.gentoo.org/show_bug.cgi?id=602588

-- 
Please *no* private Cc: on mailing lists and newsgroups
Personal signed mail: please _encrypt_ and sign
Don't clear-text sign: http://cr.yp.to/smtp/8bitmime.html

Re: [gentoo-user] Re: setuid/setgid binaries, man-db security fix

[Miroslav Rovis]

[-- Attachment #1: Type: text/plain, Size: 1109 bytes --]

On 161213-15:29-0800, Ian Zimmerman wrote:
> On 2016-12-13 08:20, Jeremi Piotrowski wrote:
> 
> > > More generally, I'm wondering about set*id binaries in gentoo.  If I
> > > don't want/need the particular feature thus provided, can I simply
> > > turn off the set*id bit?
> > 
> > Most of the time packages will not work correctly (as defined by
> > upstream) and will require you to run them as root explicitly
> > (e.g. through sudo).
> 
> Returning to the special case of man-db package, both man and mandb seem
> to run fine as normal non-suid binaries (after I also changed the perms
> on /var/cache/man to the normal root:root, 644/755).
> 
> I reported the bug:
> 
> https://bugs.gentoo.org/show_bug.cgi?id=602588
> 

This whole issue (since the start of this thread)... Thanks for
reporting it! It's been, and continues to be (lots of ongoing suspense,
and, in segments only, even non-disclosure; both for longer yet) the
most interesting information that I've had recently.

(Also I'll update A.S.A.P.)

-- 
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 801 bytes --]