On Wed, Feb 29, 2012 at 08:57:16AM +0000, Anton Shterenlikht wrote: > On Wed, Feb 29, 2012 at 02:24:58AM -0500, Jason Hellenthal wrote: > > > > > > On Tue, Feb 28, 2012 at 04:24:47PM +0000, Anton Shterenlikht wrote: > > > On Tue, Feb 28, 2012 at 03:07:43PM +0000, jb wrote: > > > > Anton Shterenlikht <mexas <at> bristol.ac.uk> writes: > > > > > > > > > > > > > > This was discussed in questions@ with no resolution. > > > > > Anybody here can advise further? > > > > > ... > > > > > > > > Regarding file .seq or .SEQ > > > > > > > > It is an intermediate-processing (run-time) lockfile found in various > > > > spool > > > > dirs and their sub-dirs, like > > > > /var/spool/cron/ > > > > /at, > > > > /lpd, etc. > > > > It is used to save job# by the respective programs (cron, at, etc). > > > > You can find a ref to .SEQ in file at.c in at port sources. > > > > I did not see ref to .seq in lpr or cron port sources. > > > > > > > > The periodic security check > > > > /etc/periodic/security/110.neggrpperm > > > > checks for risque condition like > > > > ! -perm +010 -and -perm +001 > > > > > > > > The file should not be executable, according to its purpose. > > > > > > > > So the lpr.c should be changed from > > > > if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) { > > > > to > > > > if ((fd = open(buf, O_RDWR|O_CREAT, 0660)) < 0) { > > > > > > > > File a bug report. > > > > > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/165533 > > > > The only thing that is wrong here is the misconception of negative > > permissions. This bit of code tracks all the way back to 4.3BSD and > > probably further while LPR dates back to 3BSD. Nobody programs 661 for no > > reason and changing that code will most likely have a negative impact > > and I do not see that as a real answer to this problem. > > > > Above I see your .seq file created 0641 so not only do you have a > > negative permission on the file you are also missing a bit ;). You might > > want to review some of your other permissions to see if anything is > > missing. That has been explained all over the net for the differences > > of x86 & x86_64 systems. > > To the best of my knowledge the security warning started > to appear recently. For the previous 2 years or so I haven't > seen it. Now, I didn't modify the default security scripts, > nor the lpd system. The file is created with this permissions > because the OS created it like this, not me. I've no idea > why my file is 0641 instead of 0661. > > So, given that the lpr.c hasn't changed for years, > perhaps the periodic scripts have, and what was > earlier considered fine now is considered serious enough > to issue a security warning. > > In any case, it seems either lpr.c needs to be changed, > or if 0661 is necessary, then the periodic sripts need to > be changed to ignore this file. >
Maybe brooks could give some more insight on this. ------------------------------------------------------------------------ r215213 | brooks | 2010-11-12 19:40:43 -0500 (Fri, 12 Nov 2010) | 7 lines Add an (off by default) check for negative permissions (where the group on a object has less permissions that everyone). These permissions will not work reliably over NFS if you have more than 14 supplemental groups and are usually not what you mean. MFC after: 1 week -- ;s =; _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"