The permissions on /etc/opiekeys are wrong: 0644 instead of 0600. It does not make any sense to give the read permission without the write one, just due to the design of OPIE: if one should read and authenticate using /etc/opiekeys, then precisely that being thould write the new hash to that file. Thanks to Peter Jeremy for giving me this argument! There were the same bug for S/Key a long time ago, but at that times FreeBSD was maintaining 0600 permissions on the /etc/skeykeys file. Fix: First, chmod 0600 /etc/opiekeys. The fix the OPIE sources to create that file with right permissions. How-To-Repeat: ls -l /etc/opiekeys
State Changed From-To: open->patched library fix committed into -current
The patch follows: (for /usr/src/contrib/opie) Thanks to Andrey Chernov for his commit to the -CURRENT. --- libopie/readrec.c.orig Fri Jul 29 16:40:21 2005 +++ libopie/readrec.c Fri Jul 29 16:40:36 2005 @@ -94,7 +94,7 @@ FILE *f = NULL; int rval = -1; - if (!(f = __opieopen(KEY_FILE, 0, 0644))) { + if (!(f = __opieopen(KEY_FILE, 0, 0600))) { #if DEBUG syslog(LOG_DEBUG, "__opiereadrec: __opieopen(KEY_FILE..) failed!"); #endif /* DEBUG */ --- libopie/writerec.c.orig Fri Jul 29 16:40:11 2005 +++ libopie/writerec.c Fri Jul 29 16:40:59 2005 @@ -65,13 +65,13 @@ switch(i) { case 0: - if (!(f = __opieopen(KEY_FILE, 1, 0644))) + if (!(f = __opieopen(KEY_FILE, 1, 0600))) return -1; if (fseek(f, opie->opie_recstart, SEEK_SET)) return -1; break; case 1: - if (!(f = __opieopen(KEY_FILE, 2, 0644))) + if (!(f = __opieopen(KEY_FILE, 2, 0600))) return -1; break; default: --- Makefile.in.orig Fri Jul 29 16:45:26 2005 +++ Makefile.in Fri Jul 29 16:44:13 2005 @@ -237,7 +237,7 @@ @echo "Making sure OPIE database file exists"; @touch $(KEY_FILE) @echo "Changing permissions of OPIE database file" - @chmod 0644 $(KEY_FILE) + @chmod 0600 $(KEY_FILE) @echo "Changing ownership of OPIE database file" @$(CHOWN) $(OWNER) $(KEY_FILE) @chgrp $(GROUP) $(KEY_FILE) -- rea
And one more fix for /usr/src/lib/libopie/Makefile to help people that are upgrading via make/buildworld to have right permissions on their keyfile. --- Makefile.orig Fri Jul 29 17:10:48 2005 +++ Makefile Fri Jul 29 17:16:00 2005 @@ -7,6 +7,7 @@ SHLIB_MAJOR= 3 KEYFILE?= \"/etc/opiekeys\" +REALKEYFILE= ${KEYFILE:S/\"//g} .PATH: ${DIST_DIR} ${OPIE_DIST}/libmissing @@ -32,5 +33,8 @@ MAN= ${OPIE_DIST}/opie.4 ${OPIE_DIST}/opiekeys.5 ${OPIE_DIST}/opieaccess.5 MLINKS= opie.4 skey.4 + +beforeinstall: + test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true .include <bsd.lib.mk> -- rea
On Fri, Jul 29, 2005 at 01:30:18PM +0000, Eygene A. Ryabinkin wrote: > + > +beforeinstall: > + test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true > Permissions of already installed file are up to local admin. Opie itself not change them after creating, so this commit may cause admin's headache in case, say, he prefer to keep it group-readable. -- http://ache.pp.ru/ _______________________________________________ freebsd-bugs@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-bugs To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
On Fri, Jul 29, 2005 at 04:50:13PM +0400, Eygene A. Ryabinkin wrote: > --- Makefile.in.orig Fri Jul 29 16:45:26 2005 > +++ Makefile.in Fri Jul 29 16:44:13 2005 > @@ -237,7 +237,7 @@ > @echo "Making sure OPIE database file exists"; > @touch $(KEY_FILE) > @echo "Changing permissions of OPIE database file" > - @chmod 0644 $(KEY_FILE) > + @chmod 0600 $(KEY_FILE) Since Makefile.in is not used, this change is no-op but takes the file off the vendor branch. -- http://ache.pp.ru/
This was never MFCed to any branch. :( Best Regards -- Matteo Riondato FreeBSD Volunteer (http://freebsd.org) G.U.F.I. Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org)
> This was never MFCed to any branch. :( Can you MFC it? Or I should find some other people to do it? -- rea BOFH excuse #373: Suspicious pointer corrupted virtual machine
On Sun, Nov 06, 2005 at 02:31:41PM +0300, Eygene A. Ryabinkin wrote: > > This was never MFCed to any branch. :( > Can you MFC it? Or I should find some other people to do it? Sadly, I cannot. I hope ache@ can find the time to MFC it, since he committed the fix. -- Matteo Riondato FreeBSD Volunteer (http://freebsd.org) G.U.F.I. Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org)
> Sadly, I cannot. I hope ache@ can find the time to MFC it, since he > committed the fix. No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE at hand, so I should bother someone else. ;) I have some known commiters, so will it be OK to ask them, or I need to ask some specific person(s)? -- rea BOFH excuse #337: the butane lighter causes the pincushioning
On Sun, Nov 06, 2005 at 04:37:44PM +0300, Eygene A. Ryabinkin wrote: > > Sadly, I cannot. I hope ache@ can find the time to MFC it, since he > > committed the fix. > No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE > at hand, so I should bother someone else. ;) I have some known commiters, > so will it be OK to ask them, or I need to ask some specific person(s)? Ask them. -- Matteo Riondato FreeBSD Volunteer (http://freebsd.org) G.U.F.I. Staff Member (http://www.gufi.org) FreeSBIE Developer (http://www.freesbie.org)
State Changed From-To: patched->closed Close this PR. It's fixed in head, 8 and 7. It's not fixed in 6, but the chances of anybody starting to use opie on 6 who isn't already, coupled with the fact that no further releases from the 6.x branch are expected, means that I see no need to keep this PR open.