diff options
| author | root <root@rshg054.dnsready.net> | 2013-08-29 03:06:29 -0700 |
|---|---|---|
| committer | root <root@rshg054.dnsready.net> | 2013-08-29 03:06:29 -0700 |
| commit | 0a2b1eeb31400e539041c83cc1a5952f1c880917 (patch) | |
| tree | e957f8274799baeebffbefd8182fa1e7f106979f /community/fcron | |
| parent | d4e7f77644a42f66c76c525abf0bd5d47c6431eb (diff) | |
Thu Aug 29 03:04:08 PDT 2013
Diffstat (limited to 'community/fcron')
| -rw-r--r-- | community/fcron/PKGBUILD | 25 | ||||
| -rw-r--r-- | community/fcron/fcron.install | 31 |
2 files changed, 45 insertions, 11 deletions
diff --git a/community/fcron/PKGBUILD b/community/fcron/PKGBUILD index 3e60e52d5..f43d56671 100644 --- a/community/fcron/PKGBUILD +++ b/community/fcron/PKGBUILD @@ -1,4 +1,4 @@ -# $Id: PKGBUILD 91897 2013-05-29 00:39:11Z seblu $ +# $Id: PKGBUILD 96423 2013-08-28 15:04:05Z seblu $ # Contributor: Giorgio Lando <lando at imap dot cc> # Contributor: Sergej Pupykin # Contributor: Thomas Bächler @@ -7,13 +7,17 @@ pkgname=fcron pkgver=3.1.2 -pkgrel=7 +pkgrel=8 pkgdesc='Feature-rich cron implementation' arch=(i686 x86_64) url='http://fcron.free.fr' license=('GPL') depends=('pam' 'run-parts') -makedepends=('smtp-forwarder' 'vi') +makedepends=('smtp-forwarder' 'vi' 'fcron') +# use fcron as recursive deps to have user fcron installed during installation +# else add the following in build chroot +# groupadd -g 23 fcron +# useradd -r -d /var/spool/fcron -u 23 -g 23 fcron optdepends=('smtp-forwarder: to send mails from cron jobs' 'vi: default editor for fcrontab') provides=('cron') @@ -30,13 +34,14 @@ md5sums=('36bf213e15f3a480f2274f8e46cced0a' build() { cd $pkgname-$pkgver + # Don't use --username=root and --groupname=root, this completly break + # fcron security and allow local root escalation. + # Thanks to Anh K. Huynh <kyanh@theslinux.org> for reporting it. ./configure --prefix=/usr \ --sbindir=/usr/bin \ --sysconfdir=/etc/fcron \ --with-answer-all=no \ --with-boot-install=no \ - --with-username=root \ - --with-groupname=root \ --datarootdir=/usr/share \ --datadir=/usr/share \ --with-docdir=/usr/share/doc \ @@ -44,22 +49,20 @@ build() { --with-systemdsystemunitdir=/usr/lib/systemd/system \ --with-piddir=/run \ --with-editor=/usr/bin/vi \ - --with-sendmail=/usr/sbin/sendmail + --with-sendmail=/usr/bin/sendmail make } package() { cd $pkgname-$pkgver - make DESTDIR="$pkgdir/" install - install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcron.pam" "$pkgdir/etc/pam.d/fcron" - - install -D -m644 "$srcdir/$pkgname-$pkgver/files/fcrontab.pam" "$pkgdir/etc/pam.d/fcrontab" + install -Dm644 files/fcron.pam "$pkgdir/etc/pam.d/fcron" + install -Dm644 files/fcrontab.pam "$pkgdir/etc/pam.d/fcrontab" # Install a default fcrontab so that fcron can completely replace dcron # We doesn't use binary format which is incompatible between arch and may cause crash # We regenerate the binary format at each update - install -D -m640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig" + install -Dm640 "$srcdir/systab.orig" "$pkgdir/var/spool/fcron/systab.orig" # Add cron.* directories install -d -m755 "$pkgdir/etc/cron.daily" diff --git a/community/fcron/fcron.install b/community/fcron/fcron.install index f7b0abddf..eda215a44 100644 --- a/community/fcron/fcron.install +++ b/community/fcron/fcron.install @@ -1,5 +1,8 @@ # arg 1: the new package version post_install() { + # we need a dedicated fcron user + getent group fcron >/dev/null || groupadd -g 23 fcron + getent passwd fcron >/dev/null || useradd -r -d /var/spool/fcron -u 23 -g 23 fcron # Generate binary format which is incompatible between arch fcrontab -z -u systab &>/dev/null } @@ -8,6 +11,34 @@ post_install() { # arg 2: the old package version post_upgrade() { post_install "$1" + if (( $(vercmp $2 3.1.2-8) < 0 )); then + echo 'Previous versions of fcron allow root priviledge escalation by using' + echo 'runas option in crontabs. fcron check rights at crontab compilation.' + echo 'Thus, the migration script will recreate the binary crontabs' + echo 'for you (with all side effects) and fix the files rights.' + # fix invalid etc files + for _f in /etc/fcron/fcron.{conf,allow,deny}; do + [[ -e $_f ]] || continue + chown root:fcron "$_f" + chmod 640 "$_f" + done + # fix invalid spool directory + chown fcron:fcron /var/spool/fcron + chmod 770 /var/spool/fcron + # regen user fcron files + cd /var/spool/fcron + for _f in *; do + if [[ "${_f%.orig}" != "$_f" ]]; then + chgrp fcron "$_f" + fcrontab -z -u "${_f%.orig}" &>/dev/null + fi + done + fi +} + +post_remove() { + userdel fcron &>/dev/null + groupdel fcron &>/dev/null } # vim:set ts=2 sw=2 et: |