Details Ticket 2720


Comment | Reply | Take | Open


Serial Number 2720
Subject secure the snapshot file owner
Area grass6
Queue grass
Requestors jidanni@jidanni.org
Owner none
Status resolved
Last User Contact Sun Sep 3 12:38:09 2006 (2 yr ago)
Current Priority 30
Final Priority 70
Due No date assigned
Last Action Sun Sep 3 12:38:09 2006 (2 yr ago)
Created Fri Nov 26 05:49:27 2004 (4 yr ago)

Transaction History Ticket 2720


Fri, Nov 26 2004 05:49:27    Request created by jidanni@jidanni.org  
Return-Path <jidanni@jidanni.org>
Delivered-To grass-bugs@lists.intevation.de
To grass-bugs@intevation.de
Subject secure the snapshot file owner
From Dan Jacobson <jidanni@jidanni.org>
Date Fri, 26 Nov 2004 06:33:56 +0800
Message-ID <87k6s95zjf.fsf@jidanni.org>
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Spam-Status No, hits=-4.2 tagged_above=-999.0 required=3.0 tests=BAYES_00, DATE_IN_PAST_06_12
X-Spam-Level
Installing the snapshot as root creates files owned by mystery user 1338.


Fri, Nov 26 2004 15:16:17    Mail sent by mneteler  
The user id for the binary snapshot is not very mysterious:

grass.itc.it
grep neteler /etc/passwd
neteler:x:1338:1000:Markus Neteler...

Any problems with that?

Markus
Fri, Nov 26 2004 22:12:14    Mail sent by jidanni@jidanni.org  
Return-Path <jidanni@jidanni.org>
Delivered-To grass-bugs@lists.intevation.de
To Markus Neteler via RT <grass-bugs@intevation.de>
Subject Re: [bug #2720] (grass) secure the snapshot file owner
References <20041126141617.717A4100168@lists.intevation.de>
From Dan Jacobson <jidanni@jidanni.org>
Date Sat, 27 Nov 2004 05:12:04 +0800
Message-ID <87ekig48nv.fsf@jidanni.org>
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Spam-Status No, hits=-4.9 tagged_above=-999.0 required=3.0 tests=BAYES_00
X-Spam-Level
H> The user id for the binary snapshot is not very mysterious:

Well it just happens to me J. Malicious User here. Be more secure.


Mon, Nov 29 2004 15:03:43    Mail sent by mneteler  
How to be more secure?
Such statements are not very helful (to me).
Tue, Nov 30 2004 00:51:42    Mail sent by jidanni@jidanni.org  
Return-Path <jidanni@jidanni.org>
Delivered-To grass-bugs@lists.intevation.de
To Markus Neteler via RT <grass-bugs@intevation.de>
Subject Re: [bug #2720] (grass) secure the snapshot file owner
References <20041129140343.D3A69102BF8@lists.intevation.de>
From Dan Jacobson <jidanni@jidanni.org>
Date Tue, 30 Nov 2004 06:10:30 +0800
Message-ID <87d5xwb92h.fsf@jidanni.org>
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Spam-Status No, hits=-4.9 tagged_above=-999.0 required=3.0 tests=BAYES_00
X-Spam-Level
H> How to be more secure?
In ...-install.sh use tar --no-same-owner.


Wed, Dec 1 2004 18:45:52    Mail sent by mneteler  
From 	Dan Jacobson 
Date 	Tue, 30 Nov 2004 06:10:30 +0800

>> How to be more secure?
>In ...-install.sh use tar --no-same-owner.

Is this a portable option?

Markus
Fri, Dec 3 2004 05:07:58    Mail sent by jidanni@jidanni.org  
Return-Path <jidanni@jidanni.org>
Delivered-To grass-bugs@lists.intevation.de
To Markus Neteler via RT <grass-bugs@intevation.de>
Cc grass@grass.itc.it, bug-tar@gnu.org
Subject [bug #2720] (grass) tar --no-same-owner
References <20041201174552.4D020102C0C@lists.intevation.de>
From Dan Jacobson <jidanni@jidanni.org>
Date Fri, 03 Dec 2004 06:18:45 +0800
Message-ID <87d5xswdh6.fsf@jidanni.org>
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Spam-Status No, hits=-4.5 tagged_above=-999.0 required=3.0 tests=BAYES_00, DATE_IN_PAST_03_06
X-Spam-Level
>>> How to be more secure?
>> In ...-install.sh use tar --no-same-owner.

H> Is this a portable option?
the GNU manual doesn't go into it.
If not then "chown -R root... tree" before creating the tar, or
test `id -u` = 0 && "chown -R root... tree" for the user untarring, or
something.


Mon, Dec 6 2004 15:56:48    Mail sent by schilling@fokus.fraunhofer.de  
Return-Path <schilling@fokus.fraunhofer.de>
Delivered-To grass-bugs@lists.intevation.de
From Joerg Schilling <schilling@fokus.fraunhofer.de>
Date Mon, 06 Dec 2004 15:55:53 +0100
To jidanni@jidanni.org, grass-bugs@intevation.de
Cc grass@grass.itc.it, bug-tar@gnu.org
Subject Re: [Bug-tar] [bug #2720] (grass) tar --no-same-owner
Message-ID <41B472F9.nailIPGH1ABMS@burner>
References <20041201174552.4D020102C0C@lists.intevation.de> <87d5xswdh6.fsf@jidanni.org>
In-Reply-To <87d5xswdh6.fsf@jidanni.org>
User-Agent nail 11.2 8/15/04
MIME-Version 1.0
Content-Type text/plain; charset=iso-8859-1
Content-Transfer-Encoding 8bit
X-Spam-Status No, hits=-4.9 tagged_above=-999.0 required=3.0 tests=BAYES_00
X-Spam-Level
Dan Jacobson <jidanni@jidanni.org> wrote:

> >>> How to be more secure?
> >> In ...-install.sh use tar --no-same-owner.
>
> H> Is this a portable option?
> the GNU manual doesn't go into it.
> If not then "chown -R root... tree" before creating the tar, or
> test `id -u` = 0 && "chown -R root... tree" for the user untarring, or
> something.

tar --no-same-owner is 100% nonportable.

Better to use:

o	Assign to extracted files the user and group identifier of the user running
the program rather than those on the archive. 

But note that GNU tar did violate POSIX/SVSv2 for a while at this point.

 Jörg

-- 
 EMail:joerg@schily.isdn.cs.tu-berlin.de (home) Jörg Schilling D-13353 Berlin
js@cs.tu-berlin.de		(uni)  If you don't have iso-8859-1
       schilling@fokus.fraunhofer.de	(work) chars I am J"org Schilling
 URL:  http://www.fokus.fraunhofer.de/usr/schilling ftp://ftp.berlios.de/pub/schily
Wed, Dec 8 2004 00:05:39    Mail sent by jidanni@jidanni.org  
Return-Path <jidanni@jidanni.org>
Delivered-To grass-bugs@lists.intevation.de
To grass-bugs@intevation.de, bug-tar@gnu.org
Subject Re: [Bug-tar] [bug #2720] (grass) tar --no-same-owner
References <20041201174552.4D020102C0C@lists.intevation.de> <87d5xswdh6.fsf@jidanni.org> <41B472F9.nailIPGH1ABMS@burner>
From Dan Jacobson <jidanni@jidanni.org>
Date Tue, 07 Dec 2004 07:21:27 +0800
Message-ID <87d5xnggi0.fsf@jidanni.org>
MIME-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Spam-Status No, hits=-4.2 tagged_above=-999.0 required=3.0 tests=BAYES_00, DATE_IN_PAST_12_24
X-Spam-Level
Joerg> tar --no-same-owner is 100% nonportable.

Joerg> Better to use:

Joerg> o Assign to extracted files the user and group identifier of
Joerg> the user running the program rather than those on the archive.

There needs to be recommendations for the person creating the tar
archive, not the simpler person extracting it. "How to make safe
archives".

All I can think of then is to chown root(.root or 0.0 or whatever) the
file tree before creating the archive.

Do note all this in the tar manual.


Tue, Oct 4 2005 11:20:00    Mail sent by msieczka  
Does this bug still apply to 6.1? Was the last suggestion mentioned by Dan
Jacobson applied?

Cheers,
Maciek
Tue, Oct 4 2005 11:46:42    Mail sent by mneteler  
No, it wasn't applied.
The tarballs are created on user level (also extracted from CVS
on user level), so I cannot run chown -R root ... (AFAIK).

Markus
Mon, Oct 17 2005 13:43:35    Area changed to grass6 by msieczka  
Thu, Aug 3 2006 15:03:42    Comments added by guest  
Cc: tutey@o2.pl

I can confirm the file ownerhship still being '1338' when extracting source
code snapshot as root. Maybe we should insert a note about the need to change
ownership after extraction in README or INSTALL (?)

~ Eric.
Thu, Aug 3 2006 15:48:22    Mail sent by mneteler  
There is no real reason to extract GRASS source code
as root.

Markus

PS: I am willing to change the packaging if someone tells
me how to do that in a portable way. Note that the tarball
is *not* created by root at grass.itc.it but by 'neteler' (cronjob).
Thu, Aug 3 2006 16:17:22    Mail sent by guest  
Is it fair to say that this is a bug in Grass, or improper installation by the
end-user? 

~ Eric.
Fri, Aug 25 2006 23:54:47    Comments added by guest  
Cc: tutey@o2.pl

Based on Markus' comment, it seems there isn't a real security issue here. Can
we close this one?

~ Eric.
Sun, Sep 3 2006 12:38:09    Status changed to resolved by msieczka  
Sun, Sep 3 2006 12:38:09    Mail sent by msieczka  
mneteler wrote (Thu, Aug 3 2006 15:48:22):

> There is no real reason to extract GRASS source code
> as root.

I would second Markus's note. Actually, only installing the software should be
done as a superuser. Unpacking, configure, make (as well as any other user
activity, i.e. browsing web or writing documents) should be all done as a
normal user for the sake of security. I would say that doing any of these as
root is the user's failure to behave secure.

Closing bug.

Maciek
Comment | Reply | Take | Open

You are currently authenticated as guest.
[Show Configuration] [Login as another user]

Users Guide - Mail Commands - Homepage of RequestTracker 1.0.7 - list any request