Bug 1171879

Summary: screen: /var/run/uscreens conflict between systemd-tmpfiles and permissions entries
Product: [openSUSE] openSUSE Tumbleweed Reporter: Matthias Gerstner <matthias.gerstner>
Component: SecurityAssignee: Michael Schröder <mls>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: alexander_naumov, lnussel, security-team
Version: Current   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1172227    

Description Matthias Gerstner 2020-05-19 11:41:28 UTC 
There is an ongoing effort to cleanup the entries in the permissions profiles.
In this context we found out that the screen package is currently using two
different mechanisms for setting the permissions of /var/run/uscreens.

Original the permissions have been set via the permissions package which uses
the following paths and settings in its different profiles:

permissions.paranoid:	/var/run/uscreens/	root:trusted      1775
permissions.paranoid:	/run/uscreens/                                      	root:trusted      1775
permissions.easy:	/var/run/uscreens/	root:root         1777
permissions.easy:	/run/uscreens/		root:root         1777
permissions.secure:	/var/run/uscreens/	root:root         1777
permissions.secure:	/run/uscreens/		root:root         1777

For a long time already screen also ships a tmpfiles.d entry which currently
looks like this:

$ cat /usr/lib/tmpfiles.d/screen.conf
 # Screen needs some files in /run:
 d /run/screens 0755 root root -
 d /run/uscreens 1777 root root -

Luckily the permissions are the same for the easy and secure permissions
profiles. If anybody is using the paranoid profile then `systemd-tmpfiles` and
`chkstat` will fight against each other and switch the directory's mode back
and forth.

I suggest to rely only on the tmpfiles.d entry in the future. Therefore I'd
remove the above entries from all permissions profiles. For this I'd like to
get your input if this is okay for you. Furthermore you need to remove the
invocations of `%set_permissions` and `%verify_permissions` from the screen
package's spec file.
Comment 1 Matthias Gerstner 2020-08-27 08:47:33 UTC 
*** Bug 1175816 has been marked as a duplicate of this bug. ***
Comment 2 Matthias Gerstner 2020-09-08 13:27:23 UTC 
A new rpmlint check is now in place to restrict installation of world-writable
directories. Therefore screen would fail to build if we don't whitelist it. A
whitelisting doesn't seem necessary, however. We will remove these entries
from the permissions package.
Comment 3 OBSbugzilla Bot 2020-09-09 11:00:19 UTC 
This is an autogenerated message for OBS integration:
This bug (1171879) was mentioned in
https://build.opensuse.org/request/show/833221 Factory / permissions
Comment 4 Matthias Gerstner 2020-09-10 09:35:24 UTC 
The necessary changes have been made. I just have to check the permissions
lint report next time, if all findings relating to screen are actually gone.
Comment 5 Matthias Gerstner 2020-09-30 11:01:06 UTC 
The screen devel package already builds without the new warning. The Factory
package has not been updated yet, because some other issues are blocking the
submit request.

I will soon enforce the new whitelisting by adding badness to the new
warnings. Once screen is correctly submitted to Factory this should not be a
problem though.

Closing this bug.
Comment 6 OBSbugzilla Bot 2020-11-27 13:10:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1171879) was mentioned in
https://build.opensuse.org/request/show/851308 Factory / screen
Comment 7 OBSbugzilla Bot 2021-11-17 15:42:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1171879) was mentioned in
https://build.opensuse.org/request/show/931965 15.3 / permissions
Comment 8 Swamp Workflow Management 2021-12-02 20:20:21 UTC 
openSUSE-SU-2021:1520-1: An update that solves three vulnerabilities and has 27 fixes is now available.

Category: security (moderate)
Bug References: 1028975,1029961,1093414,1133678,1148788,1150345,1150366,1151190,1157498,1160285,1160764,1161335,1161779,1163588,1167163,1169614,1171164,1171173,1171569,1171580,1171686,1171879,1171882,1173221,1174504,1175720,1175867,1178475,1178476,1183669
CVE References: CVE-2019-3687,CVE-2019-3688,CVE-2020-8013
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    permissions-20200127-lp153.24.3.1