Bug 84221 - Wrong permissions on /etc/opiekeys
Summary: Wrong permissions on /etc/opiekeys
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: conf (show other bugs)
Version: 5.4-STABLE
Hardware: Any Any
: Normal Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2005-07-28 14:00 UTC by Eygene A. Ryabinkin
Modified: 2010-02-23 14:15 UTC (History)
0 users

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Eygene A. Ryabinkin 2005-07-28 14:00:24 UTC
 The permissions on /etc/opiekeys are wrong: 0644 instead of 0600. It does not
make any sense to give the read permission without the write one, just due to
the design of OPIE: if one should read and authenticate using /etc/opiekeys,
then precisely that being thould write the new hash to that file. Thanks to
Peter Jeremy for giving me this argument!
 There were the same bug for S/Key a long time ago, but at that times FreeBSD
was maintaining 0600 permissions on the /etc/skeykeys file.

Fix: 

First, chmod 0600 /etc/opiekeys. The fix the OPIE sources to create that file
with right permissions.
How-To-Repeat:  ls -l /etc/opiekeys
Comment 1 Andrey A. Chernov freebsd_committer 2005-07-29 11:01:55 UTC
State Changed
From-To: open->patched

library fix committed into -current
Comment 2 freebsd 2005-07-29 13:50:13 UTC
 The patch follows: (for /usr/src/contrib/opie)
 Thanks to Andrey Chernov for his commit to the -CURRENT.

--- libopie/readrec.c.orig	Fri Jul 29 16:40:21 2005
+++ libopie/readrec.c	Fri Jul 29 16:40:36 2005
@@ -94,7 +94,7 @@
   FILE *f = NULL;
   int rval = -1;
 
-  if (!(f = __opieopen(KEY_FILE, 0, 0644))) {
+  if (!(f = __opieopen(KEY_FILE, 0, 0600))) {
 #if DEBUG
     syslog(LOG_DEBUG, "__opiereadrec: __opieopen(KEY_FILE..) failed!");
 #endif /* DEBUG */
--- libopie/writerec.c.orig	Fri Jul 29 16:40:11 2005
+++ libopie/writerec.c	Fri Jul 29 16:40:59 2005
@@ -65,13 +65,13 @@
 
   switch(i) {
   case 0:
-    if (!(f = __opieopen(KEY_FILE, 1, 0644)))
+    if (!(f = __opieopen(KEY_FILE, 1, 0600)))
       return -1;
     if (fseek(f, opie->opie_recstart, SEEK_SET))
       return -1;
     break;
   case 1:
-    if (!(f = __opieopen(KEY_FILE, 2, 0644)))
+    if (!(f = __opieopen(KEY_FILE, 2, 0600)))
       return -1;
     break;
   default:
--- Makefile.in.orig	Fri Jul 29 16:45:26 2005
+++ Makefile.in	Fri Jul 29 16:44:13 2005
@@ -237,7 +237,7 @@
 	@echo "Making sure OPIE database file exists";
 	@touch $(KEY_FILE)
 	@echo "Changing permissions of OPIE database file"
-	@chmod 0644 $(KEY_FILE)
+	@chmod 0600 $(KEY_FILE)
 	@echo "Changing ownership of OPIE database file"
 	@$(CHOWN) $(OWNER) $(KEY_FILE)
 	@chgrp $(GROUP) $(KEY_FILE)
-- 
 rea
Comment 3 freebsd 2005-07-29 14:22:40 UTC
 And one more fix for /usr/src/lib/libopie/Makefile to help people that are
upgrading via make/buildworld to have right permissions on their keyfile.

--- Makefile.orig       Fri Jul 29 17:10:48 2005
+++ Makefile    Fri Jul 29 17:16:00 2005
@@ -7,6 +7,7 @@
 SHLIB_MAJOR=    3
 
 KEYFILE?=      \"/etc/opiekeys\"
+REALKEYFILE=   ${KEYFILE:S/\"//g}
 
 .PATH: ${DIST_DIR} ${OPIE_DIST}/libmissing
 
@@ -32,5 +33,8 @@
 MAN=   ${OPIE_DIST}/opie.4 ${OPIE_DIST}/opiekeys.5 ${OPIE_DIST}/opieaccess.5
 
 MLINKS=        opie.4 skey.4
+
+beforeinstall:
+       test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true
 
 .include <bsd.lib.mk>

-- 
 rea
Comment 4 Andrey A. Chernov freebsd_committer 2005-07-29 15:07:41 UTC
On Fri, Jul 29, 2005 at 01:30:18PM +0000, Eygene A. Ryabinkin wrote:
>  +
>  +beforeinstall:
>  +       test -f $(REALKEYFILE) && chmod 0600 $(REALKEYFILE) || true
>   

Permissions of already installed file are up to local admin. Opie itself 
not change them after creating, so this commit may cause admin's headache 
in case, say, he prefer to keep it group-readable.

-- 
http://ache.pp.ru/
_______________________________________________
freebsd-bugs@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscribe@freebsd.org"
Comment 5 Andrey A. Chernov freebsd_committer 2005-07-29 15:09:26 UTC
On Fri, Jul 29, 2005 at 04:50:13PM +0400, Eygene A. Ryabinkin wrote:
> --- Makefile.in.orig	Fri Jul 29 16:45:26 2005
> +++ Makefile.in	Fri Jul 29 16:44:13 2005
> @@ -237,7 +237,7 @@
>  	@echo "Making sure OPIE database file exists";
>  	@touch $(KEY_FILE)
>  	@echo "Changing permissions of OPIE database file"
> -	@chmod 0644 $(KEY_FILE)
> +	@chmod 0600 $(KEY_FILE)

Since Makefile.in is not used, this change is no-op but takes the 
file off the vendor branch.

-- 
http://ache.pp.ru/
Comment 6 Matteo Riondato freebsd_committer 2005-11-04 21:12:01 UTC
This was never MFCed to any branch. :(
Best Regards
-- 
Matteo Riondato
FreeBSD Volunteer (http://freebsd.org)
G.U.F.I. Staff Member (http://www.gufi.org)
FreeSBIE Developer (http://www.freesbie.org)
Comment 7 freebsd 2005-11-06 11:31:41 UTC
> This was never MFCed to any branch. :(
 Can you MFC it? Or I should find some other people to do it?
-- 
 rea

BOFH excuse #373:
Suspicious pointer corrupted virtual machine
Comment 8 Matteo Riondato freebsd_committer 2005-11-06 11:43:24 UTC
On Sun, Nov 06, 2005 at 02:31:41PM +0300, Eygene A. Ryabinkin wrote:
> > This was never MFCed to any branch. :(
>  Can you MFC it? Or I should find some other people to do it?

Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
committed the fix.

-- 
Matteo Riondato
FreeBSD Volunteer (http://freebsd.org)
G.U.F.I. Staff Member (http://www.gufi.org)
FreeSBIE Developer (http://www.freesbie.org)
Comment 9 freebsd 2005-11-06 13:37:44 UTC
> Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
> committed the fix.
 No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE
at hand, so I should bother someone else. ;) I have some known commiters,
so will it be OK to ask them, or I need to ask some specific person(s)?
-- 
 rea

BOFH excuse #337:
the butane lighter causes the pincushioning
Comment 10 Matteo Riondato freebsd_committer 2005-11-06 14:11:11 UTC
On Sun, Nov 06, 2005 at 04:37:44PM +0300, Eygene A. Ryabinkin wrote:
> > Sadly, I cannot. I hope ache@ can find the time to MFC it, since he
> > committed the fix.
>  No, ache@ told me that he commited it to the -CURRENT, but had no -RELEASE
> at hand, so I should bother someone else. ;) I have some known commiters,
> so will it be OK to ask them, or I need to ask some specific person(s)?

Ask them.
-- 
Matteo Riondato
FreeBSD Volunteer (http://freebsd.org)
G.U.F.I. Staff Member (http://www.gufi.org)
FreeSBIE Developer (http://www.freesbie.org)
Comment 11 Gavin Atkinson freebsd_committer freebsd_triage 2010-02-23 14:12:53 UTC
State Changed
From-To: patched->closed

Close this PR.  It's fixed in head, 8 and 7.  It's not fixed in 6, 
but the chances of anybody starting to use opie on 6 who isn't 
already, coupled with the fact that no further releases from the 
6.x branch are expected, means that I see no need to keep this 
PR open.