ports/127255: [PATCH, SECURITY] security/logcheck: fix security concern about instruction in pkg-message

Yasuhiro KIMURA yasu at utahime.org
Tue Sep 9 20:20:03 UTC 2008 

>Number:         127255
>Category:       ports
>Synopsis:       [PATCH,SECURITY] security/logcheck: fix security concern about instruction in pkg-message
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Sep 09 20:20:02 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator:     Yasuhiro KIMURA
>Release:        FreeBSD 7.0-RELEASE-p4 i386
>Organization:
>Environment:
System: FreeBSD xxxx 7.0-RELEASE-p4 FreeBSD 7.0-RELEASE-p4 #0: Thu Sep 4 11:38:15 JST 2008 xxxx i386


	
>Description:
	- Fix security concern about instuction in pkg-message.
	  In pkg-message there is instruction that all log files
	  checked by logcheck should be readable by wheel group.
	  By default, some log files such as /var/log/auth.log or
	  /var/log/security is readable only by root because it may
	  include some sensitive information. So if you want to check
	  these files by logcheck, you are required to make them readable
	  by wheel group user. But primary purpose of wheel group is
	  to limit the users who can get root privilige by using su(1).
	  So it is quite common that some users belong to wheel group.
	  Then let's think of following situation. A user who belongs to
	  wheel group logged in to server and went to lunch forgetting
	  to logout or lock screen. Then someone evil came and found
	  unlocked terminal. If the permission of /var/log/auth.log of
	  /var/log/security is not changed, the evil cannot read them
	  unless he knows root password of the server. But if these files
	  readable by wheel group, he can read these log files simply by
	  displaying them using cat, less, or similar command, and access to
	  sensitive information inside them. So the instructions should be
	  changed so that all log files checked by logcheck should be
	  readable by logcheck group rather than wheel group.
	- Stop adding user 'logcheck' to wheel group.
	- Use 915/915 as UID/GID of 'logcheck' user.
	- Use /var/db/logcheck instead of /var/lib/logcheck because
	  /var/lib is not accessible by non-wheel user.
	- Use MASTER_SITE_DEBIAN as MASTER_SITES.
	- Use USE_PERL5 for perl dependency.
	- Use @dirrmtry in pkg-plist.
	- Bump PORTREVISION.

	I think this patch should be committed by asking for portmgr's
	approval before final package build for 6.4/7.1 is started.

	
>How-To-Repeat:
	
>Fix:

	

--- patch-logcheck begins here ---
Index: Makefile
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/Makefile,v
retrieving revision 1.22
diff -u -r1.22 Makefile
--- Makefile	8 Sep 2008 20:09:59 -0000	1.22
+++ Makefile	9 Sep 2008 18:53:48 -0000
@@ -7,10 +7,10 @@
 
 PORTNAME=	logcheck
 PORTVERSION=	1.2.54
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	security
-MASTER_SITES=	ftp://ftp.debian.org/debian/pool/main/l/logcheck/ \
-		http://ftp.de.debian.org/debian/pool/main/l/logcheck/
+MASTER_SITES=	${MASTER_SITE_DEBIAN}
+MASTER_SITE_SUBDIR=	pool/main/l/logcheck
 DISTNAME=	${PORTNAME}_${PORTVERSION}
 
 MAINTAINER=	glarkin at FreeBSD.org
@@ -18,8 +18,8 @@
 
 BUILD_DEPENDS=	docbook-to-man:${PORTSDIR}/textproc/docbook-to-man
 RUN_DEPENDS=	lockfile:${PORTSDIR}/mail/procmail \
-		bash:${PORTSDIR}/shells/bash \
-		perl:${PORTSDIR}/lang/perl5
+		bash:${PORTSDIR}/shells/bash
+USE_PERL5=	yes
 
 WRKSRC=		${WRKDIR}/${PORTNAME}-${PORTVERSION}
 BINMODE=	755
@@ -33,6 +33,9 @@
 
 LOGCHECK_USER=	logcheck
 LOGCHECK_GROUP=	${LOGCHECK_USER}
+LOGCHECK_UID=	915
+LOGCHECK_GID=	915
+SUB_LIST+=	LOGCHECK_USER=${LOGCHECK_USER} LOGCHECK_GROUP=${LOGCHECK_GROUP} LOGCHECK_UID=${LOGCHECK_UID} LOGCHECK_GID=${LOGCHECK_GID}
 
 do-build:
 	${REINPLACE_CMD} -e 's!/var/log/syslog!/var/log/messages!' \
@@ -46,11 +49,13 @@
 	${INSTALL_SCRIPT} ${WRKSRC}/src/logcheck ${PREFIX}/sbin
 	${INSTALL_SCRIPT} ${WRKSRC}/src/logtail ${PREFIX}/sbin
 	@PREFIX=${PREFIX} ${SH} ${PKGINSTALL} ${PKGNAME} PRE-INSTALL
-	@${INSTALL} -d /var/lib/logcheck
+	@${INSTALL} -d /var/db/logcheck
 	@${INSTALL} -d /var/run/logcheck
-	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/lib/logcheck
+	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/db/logcheck
 	@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
-		/var/lib/logcheck' >> ${TMPPLIST}
+		/var/db/logcheck' >> ${TMPPLIST}
+	${CHMOD} 700 /var/db/logcheck
+	@${ECHO_CMD} '@exec ${CHMOD} 700 /var/db/logcheck' >> ${TMPPLIST}
 	${CHOWN} ${LOGCHECK_USER}:${LOGCHECK_GROUP} /var/run/logcheck
 	@${ECHO_CMD} '@exec ${CHOWN} -R ${LOGCHECK_USER}:${LOGCHECK_GROUP} \
 		/var/run/logcheck' >> ${TMPPLIST}
Index: pkg-plist
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/pkg-plist,v
retrieving revision 1.10
diff -u -r1.10 pkg-plist
--- pkg-plist	8 Sep 2008 20:09:59 -0000	1.10
+++ pkg-plist	9 Sep 2008 18:30:10 -0000
@@ -182,7 +182,7 @@
 @dirrm %%ETCDIR%%/ignore.d.paranoid
 @dirrm %%ETCDIR%%/cracking.d
 @dirrm %%ETCDIR%%
- at exec mkdir -p /var/lib/logcheck
- at unexec rm -rf /var/lib/logcheck 2> /dev/null || true
+ at exec mkdir -p /var/db/logcheck
+ at dirrmtry /var/db/logcheck
 @exec mkdir -p /var/run/logcheck
- at unexec rm -rf /var/run/logcheck 2> /dev/null || true
+ at dirrmtry /var/run/logcheck
Index: files/patch-src__logcheck
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/patch-src__logcheck,v
retrieving revision 1.1
diff -u -r1.1 patch-src__logcheck
--- files/patch-src__logcheck	7 Sep 2008 01:31:56 -0000	1.1
+++ files/patch-src__logcheck	9 Sep 2008 18:40:54 -0000
@@ -1,5 +1,5 @@
---- ./src/logcheck.orig	2007-01-16 01:13:27.000000000 -0500
-+++ ./src/logcheck	2008-09-06 19:11:28.000000000 -0400
+--- src/logcheck.orig	2007-01-16 15:13:27.000000000 +0900
++++ src/logcheck	2008-09-10 03:39:45.000000000 +0900
 @@ -1,4 +1,4 @@
 -#!/bin/bash
 +#!/usr/local/bin/bash
@@ -32,19 +32,20 @@
  # Set the default paths
 -RULEDIR="/etc/logcheck"
 -CONFFILE="/etc/logcheck/logcheck.conf"
-+RULEDIR="/usr/local/etc/logcheck"
-+CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
- STATEDIR="/var/lib/logcheck"
+-STATEDIR="/var/lib/logcheck"
 -LOGFILES_LIST="/etc/logcheck/logcheck.logfiles"
 -LOGFILE_FALLBACK="/var/log/syslog"
 -LOGTAIL="/usr/sbin/logtail"
++RULEDIR="/usr/local/etc/logcheck"
++CONFFILE="/usr/local/etc/logcheck/logcheck.conf"
++STATEDIR="/var/db/logcheck"
 +LOGFILES_LIST="/usr/local/etc/logcheck/logcheck.logfiles"
 +LOGFILE_FALLBACK="/var/log/messages"
 +LOGTAIL="/usr/local/sbin/logtail"
  CAT="/bin/cat"
  SYSLOG_SUMMARY="/usr/bin/syslog-summary"
  
-@@ -87,20 +80,15 @@
+@@ -87,26 +80,21 @@
  SORTUNIQ=0
  SUPPORT_CRACKING_IGNORE=0
  SYSLOGSUMMARY=0
@@ -69,6 +70,13 @@
      fi
  
      if [ -d $TMPDIR ]; then
+         # Remove the tmp directory
+         if [ $NOCLEANUP -eq 0 ];then 
+-    	    cd /var/lib/logcheck
++    	    cd /var/db/logcheck
+     	    debug "cleanup: Removing - $TMPDIR" 
+     	    rm -r $TMPDIR
+         else
 @@ -142,14 +130,9 @@
      if [ "$2" = "noclean" ]; then
  	debug "error: Not removing lockfile"
Index: files/pkg-deinstall.in
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-deinstall.in,v
retrieving revision 1.1
diff -u -r1.1 pkg-deinstall.in
--- files/pkg-deinstall.in	7 Sep 2008 01:31:56 -0000	1.1
+++ files/pkg-deinstall.in	9 Sep 2008 18:04:41 -0000
@@ -1,7 +1,7 @@
 #!/bin/sh
 
-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+group="%%LOGCHECK_GROUP%%"
 configfiles="logcheck.conf logcheck.logfiles"
 
 case $2 in
Index: files/pkg-install.in
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-install.in,v
retrieving revision 1.1
diff -u -r1.1 pkg-install.in
--- files/pkg-install.in	7 Sep 2008 01:31:56 -0000	1.1
+++ files/pkg-install.in	9 Sep 2008 18:30:32 -0000
@@ -1,9 +1,11 @@
 #!/bin/sh
 
-user="logcheck"
-group="logcheck"
+user="%%LOGCHECK_USER%%"
+uid="%%LOGCHECK_UID%%"
+group="%%LOGCHECK_GROUP%%"
+gid="%%LOGCHECK_GID%%"
 descr="Logcheck system account"
-homedir="/var/lib/logcheck"
+homedir="/var/db/logcheck"
 shell="/usr/bin/false"
 configfiles="logcheck.conf logcheck.logfiles"
 
@@ -12,13 +14,13 @@
 	if pw group show ${group} > /dev/null 2>&1; then
 		echo "---> You already have a group \"${group}\", so I will use it."
 	else
-		pw group add "${group}"
+		pw group add "${group}" -g $gid
 		echo "---> Created group \"${group}\"."
 	fi
 	if pw user show ${user} > /dev/null 2>&1; then
 		echo "---> You already have a user \"${user}\", so I will use it."
 	else
-		pw user add -n logcheck -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck -G wheel
+		pw user add -n logcheck -u $uid -c "${descr}" -d "${homedir}" -s "${shell}" -g logcheck
 		echo "---> Created user \"${user}\"."
 	fi
 ;;
Index: files/pkg-message.in
===================================================================
RCS file: /usr1/freebsd/cvsroot/ports/security/logcheck/files/pkg-message.in,v
retrieving revision 1.1
diff -u -r1.1 pkg-message.in
--- files/pkg-message.in	7 Sep 2008 01:31:56 -0000	1.1
+++ files/pkg-message.in	9 Sep 2008 18:09:14 -0000
@@ -3,7 +3,7 @@
 
   %%PREFIX%%/etc/logcheck/logcheck.logfiles
 
-are readable to 'wheel' group (see also /etc/newsyslog.conf), or remove
+are readable to '%%LOGCHECK_GROUP%%' group (see also /etc/newsyslog.conf), or remove
 them from the aforementioned logcheck configuration file.
 
 For information on how to write local rulesets see
--- patch-logcheck ends here ---


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list