/bin permission too open for TPE (grsecurity)
Hi,
I've fired up a Devuan Jessie beta2 with a grsecurity enabled kernel, with TPE and PaX. The TPE part caused some trouble because everything was inside /bin was not executable by normal system users:
grsec: denied untrusted exec (due to file in group-writable directory) of /bin/dash by /bin/dash[cron:4425] uid/euid:112/112 gid/egid:118/118, parent /usr/sbin/cron[cron:4422] uid/euid:0/0 gid/egid:0/0
After a short investigation I've found that since Debian 8.0 the /bin directory have no more 755 permissions, but 775.
Devuan 8 / Debian 8 jessie:
# ls -la|grep bin
drwxrwxr-x 2 root root 4096 gen 13 17:41 binOn a Debian 7 wheezy:
# ls -la|grep bin
drwxr-xr-x 2 root root 4096 set 28 19:26 binAfter a fast chmod 755 /bin everything back to normal and TPE don't is bothered anymore, and cron and the other tools inside /bin can works under system users as always.
I think that the cause of this permission change is for some obscure and related thing needed by systemd, otherwise I cannot find any other (good) reason.
Maybe we need to switch back to the old permission mask on Devuan?
-
Why would one need group permissions to write to any of the executables in /bin. This doesn't make sense
There is a comment in /etc/profile about this being handled now by pam_umask and from the pam_umask manpage we find out
The default umask is now set in /etc/default/login or /etc/login.defs or /etc/pam.d/login
if you can identify where this is set for you I can isolate and fix the package related. Mine is in /etc/login.defs
fwiw, this must have a recent change because my devuan jessie systems set it to 022
Edited by Daniel Reurich -
Why would one need group permissions to write to any of the executables in /bin. This doesn't make sense
Yeeeeep. At all.
The only thing that I could find is this:
# cat /etc/login.defs|grep UMASK UMASK\t\t022As you can see is 022 too.
