From mexas@bristol.ac.uk  Tue Feb 28 15:41:51 2012
Return-Path: <mexas@bristol.ac.uk>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id C2EAE106564A
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Feb 2012 15:41:51 +0000 (UTC)
	(envelope-from mexas@bristol.ac.uk)
Received: from dirg.bris.ac.uk (dirg.bris.ac.uk [137.222.10.102])
	by mx1.freebsd.org (Postfix) with ESMTP id 802A58FC12
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Feb 2012 15:41:51 +0000 (UTC)
Received: from ncsd.bris.ac.uk ([137.222.10.59] helo=ncs.bris.ac.uk)
	by dirg.bris.ac.uk with esmtp (Exim 4.72)
	(envelope-from <mexas@bristol.ac.uk>)
	id 1S2Ovc-00023N-2r
	for FreeBSD-gnats-submit@freebsd.org; Tue, 28 Feb 2012 15:25:30 +0000
Received: from mech-cluster241.men.bris.ac.uk ([137.222.187.241])
	by ncs.bris.ac.uk with esmtpsa (TLSv1:AES256-SHA:256)
	(Exim 4.72)
	(envelope-from <mexas@bris.ac.uk>)
	id 1S2OvQ-0004VG-Qu
	for FreeBSD-gnats-submit@freebsd.org; Tue, 28 Feb 2012 15:25:12 +0000
Received: from mech-cluster241.men.bris.ac.uk (localhost [127.0.0.1])
	by mech-cluster241.men.bris.ac.uk (8.14.5/8.14.5) with ESMTP id q1SFPCj9057979
	for <FreeBSD-gnats-submit@freebsd.org>; Tue, 28 Feb 2012 15:25:12 GMT
	(envelope-from mexas@mech-cluster241.men.bris.ac.uk)
Received: (from mexas@localhost)
	by mech-cluster241.men.bris.ac.uk (8.14.5/8.14.5/Submit) id q1SFPCwt057978;
	Tue, 28 Feb 2012 15:25:12 GMT
	(envelope-from mexas)
Message-Id: <201202281525.q1SFPCwt057978@mech-cluster241.men.bris.ac.uk>
Date: Tue, 28 Feb 2012 15:25:12 GMT
From: Anton Shterenlikht <mexas@bristol.ac.uk>
Reply-To: Anton Shterenlikht <mexas@bristol.ac.uk>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [lpr.c] wrong 661 permission for /var/spool/output/lpd/.seq (should be 660) 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         165533
>Category:       kern
>Synopsis:       [lpr] [patch] wrong 661 permission for /var/spool/output/lpd/.seq (should be 660)
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    eadler
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 28 15:50:10 UTC 2012
>Closed-Date:    Wed Jun 06 06:46:59 UTC 2012
>Last-Modified:  Wed Jun  6 06:50:10 UTC 2012
>Originator:     Anton Shterenlikht
>Release:        FreeBSD 9.0-BETA2 ia64
>Organization:
University of Bristol
>Environment:
System: FreeBSD mech-cluster241.men.bris.ac.uk 9.0-BETA2 FreeBSD 9.0-BETA2 #4 r225618: Fri Sep 16 21:11:50 BST 2011 root@mech-cluster241.men.bris.ac.uk:/usr/obj/usr/src/sys/TZAV ia64


	
>Description:

I've a parallel printer attached to a 9.9-CURRENT #2 r230787M box.
Recently I started seeing this line in daily security output:

   Checking negative group permissions:
   70834 -rw-r----x  1 root  daemon  4 Feb 21 12:54:02 2012 /var/spool/output/lpd/.seq

I think .seq is created with wrong permissions,
thus triggering a security warning.
 
	
>How-To-Repeat:

 # pwd
 /var/spool/output/lpd

 # ls -al
 total 8
 drwxr-xr-x  2 root  daemon  512 Feb 24 12:43 .
 drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
 -rw-rw-r--  1 root  daemon   41 Feb 21 12:54 lock
 -rw-rw-r--  1 root  daemon   25 Feb 21 12:54 status
 #
 
 Then I print something, e.g.:
 
 % pwd | lpr
 
 Then this .seq file appears with weird permissions:
 
 # ls -al
 total 10
 drwxr-xr-x  2 root  daemon  512 Feb 24 12:46 .
 drwxr-xr-x  3 root  daemon  512 Mar  9  2010 ..
 -rw-r----x  1 root  daemon    4 Feb 24 12:45 .seq
 -rw-rw-r--  1 root  daemon   41 Feb 24 12:45 lock
 -rw-rw-r--  1 root  daemon   25 Feb 24 12:45 status
 # 
 
 # cat .seq 
 001
 #
	
>Fix:

From: jb <jb.1234abcd@gmail.com>
Date: Tue, 28 Feb 2012 15:07:43 +0000 (UTC)

It is an intermediate-processing (run-time) lockfile found in various spool
dirs and their sub-dirs, like
/var/spool/cron/
          /at,
          /lpd, etc.
It is used to save job# by the respective programs (cron, at, etc).
You can find a ref to .SEQ in file at.c in at port sources.
I did not see ref to .seq in lpr or cron port sources.

The periodic security check
/etc/periodic/security/110.neggrpperm
checks for risque condition like
! -perm +010 -and -perm +001

The file should not be executable, according to its purpose.

So the lpr.c should be changed from
if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
to
if ((fd = open(buf, O_RDWR|O_CREAT, 0660)) < 0) {


	
>Release-Note:
>Audit-Trail:

From: J B <jb.1234abcd@gmail.com>
To: bug-followup@FreeBSD.org, mexas@bristol.ac.uk
Cc:  
Subject: Re: kern/165533: [lpr] [patch] wrong 661 permission for
 /var/spool/output/lpd/.seq (should be 660)
Date: Tue, 28 Feb 2012 21:40:08 +0100

 Regarding fix to .seq file permission:
 
 http://ftp.utcluj.ro/pub/docs/ldp/bible-src/howtos/printing.html
 ...
 The Important Files
 Apart from the programs discussed above, each spool directory should
 contain four files - .seq, errs. lock and status. These files should
 have the permissions "-rw-rw-r--". The .seq file contains the job
 number counter for lpr to assign ...
 
 So, we can relax the permission to 0664.
 jb
Responsible-Changed-From-To: freebsd-bugs->eadler 
Responsible-Changed-By: eadler 
Responsible-Changed-When: Thu May 10 18:16:41 UTC 2012 
Responsible-Changed-Why:  
I'll take it. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165533 
State-Changed-From-To: open->analyzed 
State-Changed-By: eadler 
State-Changed-When: Wed May 16 23:00:49 UTC 2012 
State-Changed-Why:  
awaiting approval 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165533 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/165533: commit references a PR
Date: Wed, 30 May 2012 04:08:44 +0000 (UTC)

 Author: eadler
 Date: Wed May 30 04:08:29 2012
 New Revision: 236289
 URL: http://svn.freebsd.org/changeset/base/236289
 
 Log:
   Relax security permissions on '.seq' file creation - the strict,
   but odd permissions resulted in a security alert from 110.neggrpperm
   
   PR:		kern/165533
   Submitted by:	Anton Shterenlikht <mexas@bristol.ac.uk>
   Submitted by:	J B <jb.1234abcd@gmail.com>
   Approved by:	cperciva
   MFC after:	1 week
 
 Modified:
   head/usr.sbin/lpr/lpr/lpr.c
 
 Modified: head/usr.sbin/lpr/lpr/lpr.c
 ==============================================================================
 --- head/usr.sbin/lpr/lpr/lpr.c	Wed May 30 04:06:38 2012	(r236288)
 +++ head/usr.sbin/lpr/lpr/lpr.c	Wed May 30 04:08:29 2012	(r236289)
 @@ -846,7 +846,7 @@ mktemps(const struct printer *pp)
  
  	(void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
  	seteuid(euid);
 -	if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
 +	if ((fd = open(buf, O_RDWR|O_CREAT, 0664)) < 0) {
  		printf("%s: cannot create %s\n", progname, buf);
  		exit(1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: analyzed->patched 
State-Changed-By: eadler 
State-Changed-When: Wed May 30 04:17:32 UTC 2012 
State-Changed-Why:  
committed, awaiting MFC 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165533 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/165533: commit references a PR
Date: Wed,  6 Jun 2012 06:39:05 +0000 (UTC)

 Author: eadler
 Date: Wed Jun  6 06:38:56 2012
 New Revision: 236663
 URL: http://svn.freebsd.org/changeset/base/236663
 
 Log:
   MFC r236289:
   	Relax security permissions on '.seq' file creation - the strict,
   	but odd permissions resulted in a security alert from 110.neggrpperm
   
   PR:		bin/165533
   Approved by:	cperciva (implicit)
 
 Modified:
   stable/9/usr.sbin/lpr/lpr/lpr.c
 Directory Properties:
   stable/9/usr.sbin/lpr/   (props changed)
 
 Modified: stable/9/usr.sbin/lpr/lpr/lpr.c
 ==============================================================================
 --- stable/9/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:35:47 2012	(r236662)
 +++ stable/9/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:38:56 2012	(r236663)
 @@ -846,7 +846,7 @@ mktemps(const struct printer *pp)
  
  	(void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
  	seteuid(euid);
 -	if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
 +	if ((fd = open(buf, O_RDWR|O_CREAT, 0664)) < 0) {
  		printf("%s: cannot create %s\n", progname, buf);
  		exit(1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/165533: commit references a PR
Date: Wed,  6 Jun 2012 06:39:37 +0000 (UTC)

 Author: eadler
 Date: Wed Jun  6 06:39:14 2012
 New Revision: 236664
 URL: http://svn.freebsd.org/changeset/base/236664
 
 Log:
   MFC r236289:
   	Relax security permissions on '.seq' file creation - the strict,
   	but odd permissions resulted in a security alert from 110.neggrpperm
   
   PR:		bin/165533
   Approved by:	cperciva (implicit)
 
 Modified:
   stable/8/usr.sbin/lpr/lpr/lpr.c
 Directory Properties:
   stable/8/usr.sbin/lpr/   (props changed)
 
 Modified: stable/8/usr.sbin/lpr/lpr/lpr.c
 ==============================================================================
 --- stable/8/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:38:56 2012	(r236663)
 +++ stable/8/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:39:14 2012	(r236664)
 @@ -846,7 +846,7 @@ mktemps(const struct printer *pp)
  
  	(void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
  	seteuid(euid);
 -	if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
 +	if ((fd = open(buf, O_RDWR|O_CREAT, 0664)) < 0) {
  		printf("%s: cannot create %s\n", progname, buf);
  		exit(1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: patched->closed 
State-Changed-By: eadler 
State-Changed-When: Wed Jun 6 06:46:58 UTC 2012 
State-Changed-Why:  
Committed. Thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=165533 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/165533: commit references a PR
Date: Wed,  6 Jun 2012 06:40:17 +0000 (UTC)

 Author: eadler
 Date: Wed Jun  6 06:39:34 2012
 New Revision: 236665
 URL: http://svn.freebsd.org/changeset/base/236665
 
 Log:
   MFC r236289:
   	Relax security permissions on '.seq' file creation - the strict,
   	but odd permissions resulted in a security alert from 110.neggrpperm
   
   PR:		bin/165533
   Approved by:	cperciva (implicit)
 
 Modified:
   stable/7/usr.sbin/lpr/lpr/lpr.c
 Directory Properties:
   stable/7/usr.sbin/lpr/   (props changed)
 
 Modified: stable/7/usr.sbin/lpr/lpr/lpr.c
 ==============================================================================
 --- stable/7/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:39:14 2012	(r236664)
 +++ stable/7/usr.sbin/lpr/lpr/lpr.c	Wed Jun  6 06:39:34 2012	(r236665)
 @@ -846,7 +846,7 @@ mktemps(const struct printer *pp)
  
  	(void) snprintf(buf, sizeof(buf), "%s/.seq", pp->spool_dir);
  	seteuid(euid);
 -	if ((fd = open(buf, O_RDWR|O_CREAT, 0661)) < 0) {
 +	if ((fd = open(buf, O_RDWR|O_CREAT, 0664)) < 0) {
  		printf("%s: cannot create %s\n", progname, buf);
  		exit(1);
  	}
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
