Bug 1172550

Summary: systemd: /var/log/journal/ setgid directory uses systemd-tmpfiles but is also listed in permissions profiles
Product: [Novell Products] SUSE Security Incidents Reporter: Matthias Gerstner <matthias.gerstner>
Component: IncidentsAssignee: Matthias Gerstner <matthias.gerstner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: fbui, security-team, wolfgang.frisch
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/260833/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1172227    

Description Matthias Gerstner 2020-06-05 08:18:36 UTC 
systemd has been using a systemd-tmpfiles drop-in file
(/usr/lib/tmpfiles.d/systemd.conf) to manage the mode of /var/log/journal/ for
years.

In parallel the Base:System/permissions package listed this path in its
profiles. This represents a conflict that doesn't show at the moment, because
the settings between systemd and permissions are the same except for the
"paranoid" permissions profile, which is used very little if at all.

For this reason the entries from the permissions profiles have been removed:

https://github.com/openSUSE/permissions/commit/38b63c0a4fbf78800374c575e163de48524e251b

As these entries also served as a whitelisting we need to avoid packaging this
directory using the setgid bit in the systemd package. Instead the invocation
of systemd-tmpfiles during %post will need to do the trick. This bug exists to
track and document this.
Comment 1 Franck Bui 2020-06-10 16:43:59 UTC 
I don't know how Base:System/permissions package is used or what it is supposed to protect from but it looks like tmpfiles is a nice way to bypass it, no ?
Comment 2 Matthias Gerstner 2020-06-12 07:57:06 UTC 
(In reply to fbui@suse.com from comment #1)
> I don't know how Base:System/permissions package is used or what it is
> supposed to protect from but it looks like tmpfiles is a nice way to bypass
> it, no ?

The permissions package is a SUSE specific framework that handles different
file permission profiles. So the user can select from an "easy to use" down to
"paranoid security" profile. See the config files /etc/permissions.* in
regular SUSE installations. Also coupled to this package is - a bit
unfortunate - a whitelisting mechanism to restrict packages from shipping
privileged binaries or directories that are sensitive to security issues.

And yes, systemd-tmpfiles are a nice and easy way to bypass it. The
permissions package is age old and wasn't kept in a clean state for years.
That is exactly why the security team is currently in the process of tracking
down inconsistencies. Once we're done with the cleanup we also plan to monitor
and further restrict packages to avoid such situations in the first place.
Comment 3 Franck Bui 2020-06-15 09:53:23 UTC 
In case of /var/log/journal directory the permissions are fixed and well defined, regardless of the security profile. If set differently, that would be a bug.
Comment 4 Matthias Gerstner 2020-07-06 14:03:23 UTC 
(In reply to fbui@suse.com from comment #3)
> If set differently, that would be a bug.

Which is why we are in this bug, talking about it ;-)

Somebody in the past obviously thought it might be a good idea to manage this
directory via the permissions package.

So in the Factory package of systemd this is already addressed. The
permission profiles are also cleaned up. There should be no need to fix this
in older codestreams, since the danger of breaking things is small (only in
the paranoid permissions profile, which breaks a lot more than just systemd).

I keep the bug open until I can verify that our permissions linter no longer
complains about this.
Comment 5 Matthias Gerstner 2020-07-07 13:53:37 UTC 
Okay our linter is no longer complaining. I'm closing this bug as fixed.