From rea@rea.mbslab.kiae.ru  Thu Jul 28 12:55:28 2005
Return-Path: <rea@rea.mbslab.kiae.ru>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 7D38A16A41F
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 12:55:28 +0000 (GMT)
	(envelope-from rea@rea.mbslab.kiae.ru)
Received: from rea.mbslab.kiae.ru (rea.mbslab.kiae.ru [144.206.177.25])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 1735D43D46
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 12:55:26 +0000 (GMT)
	(envelope-from rea@rea.mbslab.kiae.ru)
Received: from rea.mbslab.kiae.ru (localhost [127.0.0.1])
	by rea.mbslab.kiae.ru (Postfix) with ESMTP id 441E6BB63
	for <FreeBSD-gnats-submit@freebsd.org>; Thu, 28 Jul 2005 16:55:22 +0400 (MSD)
Received: by rea.mbslab.kiae.ru (Postfix, from userid 1000)
	id 1C67FBB60; Thu, 28 Jul 2005 16:55:22 +0400 (MSD)
Message-Id: <20050728125522.1C67FBB60@rea.mbslab.kiae.ru>
Date: Thu, 28 Jul 2005 16:55:22 +0400 (MSD)
From: Eygene A.Ryabinkin <rea@rea.mbslab.kiae.ru>
Reply-To: Eygene A.Ryabinkin <rea@rea.mbslab.kiae.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Wrong permissions on /etc/opiekeys
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         84221
>Category:       conf
>Synopsis:       Wrong permissions on /etc/opiekeys
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 28 13:00:24 GMT 2005
>Closed-Date:    Tue Feb 23 14:15:50 UTC 2010
>Last-Modified:  Tue Feb 23 14:15:50 UTC 2010
>Originator:     Eygene A. Ryabinkin
>Release:        FreeBSD 5.4-STABLE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD **************** 5.4-STABLE FreeBSD 5.4-STABLE #6: Wed Jul 27 10:22:02 MSD 2005 root@****************:/usr/obj/usr/src/sys/TWINS i386
>Description:
 The permissions on /etc/opiekeys are wrong: 0644 instead of 0600. It does not
make any sense to give the read permission without the write one, just due to
the design of OPIE: if one should read and authenticate using /etc/opiekeys,
then precisely that being thould write the new hash to that file. Thanks to
Peter Jeremy for giving me this argument!
 There were the same bug for S/Key a long time ago, but at that times FreeBSD
was maintaining 0600 permissions on the /etc/skeykeys file.
>How-To-Repeat:
 ls -l /etc/opiekeys
>Fix:
 First, chmod 0600 /etc/opiekeys. The fix the OPIE sources to create that file
with right permissions.
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->patched 
State-Changed-By: ache 
State-Changed-When: Fri Jul 29 10:01:55 GMT 2005 
State-Changed-Why:  
library fix committed into -current 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84221 

From: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Fri, 29 Jul 2005 16:50:13 +0400

  The patch follows: (for /usr/src/contrib/opie)
  Thanks to Andrey Chernov for his commit to the -CURRENT.
 
 --- libopie/readrec.c.orig	Fri Jul 29 16:40:21 2005
 +++ libopie/readrec.c	Fri Jul 29 16:40:36 2005
 @@ -94,7 +94,7 @@
    FILE *f = NULL;
    int rval = -1;
  
 -  if (!(f = __opieopen(KEY_FILE, 0, 0644))) {
 +  if (!(f = __opieopen(KEY_FILE, 0, 0600))) {
  #if DEBUG
      syslog(LOG_DEBUG, "__opiereadrec: __opieopen(KEY_FILE..) failed!");
  #endif /* DEBUG */
 --- libopie/writerec.c.orig	Fri Jul 29 16:40:11 2005
 +++ libopie/writerec.c	Fri Jul 29 16:40:59 2005
 @@ -65,13 +65,13 @@
  
    switch(i) {
    case 0:
 -    if (!(f = __opieopen(KEY_FILE, 1, 0644)))
 +    if (!(f = __opieopen(KEY_FILE, 1, 0600)))
        return -1;
      if (fseek(f, opie->opie_recstart, SEEK_SET))
        return -1;
      break;
    case 1:
 -    if (!(f = __opieopen(KEY_FILE, 2, 0644)))
 +    if (!(f = __opieopen(KEY_FILE, 2, 0600)))
        return -1;
      break;
    default:
 --- Makefile.in.orig	Fri Jul 29 16:45:26 2005
 +++ Makefile.in	Fri Jul 29 16:44:13 2005
 @@ -237,7 +237,7 @@
  	@echo "Making sure OPIE database file exists";
  	@touch $(KEY_FILE)
  	@echo "Changing permissions of OPIE database file"
 -	@chmod 0644 $(KEY_FILE)
 +	@chmod 0600 $(KEY_FILE)
  	@echo "Changing ownership of OPIE database file"
  	@$(CHOWN) $(OWNER) $(KEY_FILE)
  	@chgrp $(GROUP) $(KEY_FILE)
 -- 
  rea

From: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-bugs@FreeBSD.org
Cc:  
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Fri, 29 Jul 2005 17:22:40 +0400

  And one more fix for /usr/src/lib/libopie/Makefile to help people that are
 upgrading via make/buildworld to have right permissions on their keyfile.
 
 --- Makefile.orig       Fri Jul 29 17:10:48 2005
 +++ Makefile    Fri Jul 29 17:16:00 2005
 @@ -7,6 +7,7 @@
  SHLIB_MAJOR=    3
  
  KEYFILE?=      \"/etc/opiekeys\"
 +REALKEYFILE=   ${KEYFILE:S/\"//g}
  
  .PATH: ${DIST_DIR} ${OPIE_DIST}/libmissing
  
 @@ -32,5 +33,8 @@
  MAN=   ${OPIE_DIST}/opie.4 ${OPIE_DIST}/opiekeys.5 ${OPIE_DIST}/opieaccess.5
  
  MLINKS=        opie.4 skey.4
 +
 +beforeinstall:
 +       test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true
  
  .include <bsd.lib.mk>
 
 -- 
  rea

From: Andrey Chernov <ache@FreeBSD.ORG>
To: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG, freebsd-bugs@FreeBSD.ORG
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Fri, 29 Jul 2005 18:09:26 +0400

 On Fri, Jul 29, 2005 at 04:50:13PM +0400, Eygene A. Ryabinkin wrote:
 > --- Makefile.in.orig	Fri Jul 29 16:45:26 2005
 > +++ Makefile.in	Fri Jul 29 16:44:13 2005
 > @@ -237,7 +237,7 @@
 >  	@echo "Making sure OPIE database file exists";
 >  	@touch $(KEY_FILE)
 >  	@echo "Changing permissions of OPIE database file"
 > -	@chmod 0644 $(KEY_FILE)
 > +	@chmod 0600 $(KEY_FILE)
 
 Since Makefile.in is not used, this change is no-op but takes the 
 file off the vendor branch.
 
 -- 
 http://ache.pp.ru/

From: Andrey Chernov <ache@FreeBSD.ORG>
To: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
Cc: freebsd-bugs@FreeBSD.ORG
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Fri, 29 Jul 2005 18:07:41 +0400

 On Fri, Jul 29, 2005 at 01:30:18PM +0000, Eygene A. Ryabinkin wrote:
 >  +
 >  +beforeinstall:
 >  +       test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true
 >   
 
 Permissions of already installed file are up to local admin. Opie itself 
 not change them after creating, so this commit may cause admin's headache 
 in case, say, he prefer to keep it group-readable.
 
 -- 
 http://ache.pp.ru/
 _______________________________________________
 freebsd-bugs@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
 To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"

From: Matteo Riondato <matteo@freebsd.org>
To: bug-followup@FreeBSD.org, rea@rea.mbslab.kiae.ru, ache@freebsd.org
Cc:  
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Fri, 4 Nov 2005 22:12:01 +0100

 This was never MFCed to any branch. :(
 Best Regards
 -- 
 Matteo Riondato
 FreeBSD Volunteer (http://freebsd.org)
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)

From: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
To: Matteo Riondato <matteo@freebsd.org>
Cc: bug-followup@FreeBSD.org, ache@freebsd.org
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Sun, 6 Nov 2005 14:31:41 +0300

 > This was never MFCed to any branch. :(
  Can you MFC it? Or I should find some other people to do it?
 -- 
  rea
 
 BOFH excuse #373:
 Suspicious pointer corrupted virtual machine

From: Matteo Riondato <matteo@freebsd.org>
To: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
Cc: bug-followup@FreeBSD.org, ache@freebsd.org
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Sun, 6 Nov 2005 12:43:24 +0100

 On Sun, Nov 06, 2005 at 02:31:41PM +0300, Eygene A. Ryabinkin wrote:
 > > This was never MFCed to any branch. :(
 >  Can you MFC it? Or I should find some other people to do it?
 
 Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
 committed the fix.
 
 -- 
 Matteo Riondato
 FreeBSD Volunteer (http://freebsd.org)
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)

From: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
To: Matteo Riondato <matteo@freebsd.org>
Cc: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>,
	bug-followup@FreeBSD.org, ache@freebsd.org
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Sun, 6 Nov 2005 16:37:44 +0300

 > Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
 > committed the fix.
  No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE
 at hand, so I should bother someone else. ;) I have some known commiters,
 so will it be OK to ask them, or I need to ask some specific person(s)?
 -- 
  rea
 
 BOFH excuse #337:
 the butane lighter causes the pincushioning

From: Matteo Riondato <matteo@freebsd.org>
To: "Eygene A. Ryabinkin" <freebsd@rea.mbslab.kiae.ru>
Cc: bug-followup@FreeBSD.org, ache@freebsd.org
Subject: Re: conf/84221: Wrong permissions on /etc/opiekeys
Date: Sun, 6 Nov 2005 15:11:11 +0100

 On Sun, Nov 06, 2005 at 04:37:44PM +0300, Eygene A. Ryabinkin wrote:
 > > Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
 > > committed the fix.
 >  No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE
 > at hand, so I should bother someone else. ;) I have some known commiters,
 > so will it be OK to ask them, or I need to ask some specific person(s)?
 
 Ask them.
 -- 
 Matteo Riondato
 FreeBSD Volunteer (http://freebsd.org)
 G.U.F.I. Staff Member (http://www.gufi.org)
 FreeSBIE Developer (http://www.freesbie.org)
State-Changed-From-To: patched->closed 
State-Changed-By: gavin 
State-Changed-When: Tue Feb 23 14:12:53 UTC 2010 
State-Changed-Why:  
Close this PR.  It's fixed in head, 8 and 7.  It's not fixed in 6, 
but the chances of anybody starting to use opie on 6 who isn't 
already, coupled with the fact that no further releases from the 
6.x branch are expected, means that I see no need to keep this 
PR open. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=84221 
>Unformatted:
