[Security] Permissions incorrect on some of Python's files

You think you have found a bug? Let us know about it.
GJones
Donor
Posts: 300
Joined: 22. Jul 2011, 23:27

[Security] Permissions incorrect on some of Python's files

Post by GJones »

According to OSSEC:

Code: Select all

From ossecm@defiant.network  Fri Jan 25 11:09:14 2013
Return-Path: <ossecm@defiant.network>
Received: from notify.ossec.net (localhost [127.0.0.1])
	by defiant.network (8.14.5/8.14.5) with SMTP id r0PG9ERd006521
	for <proteus@localhost>; Fri, 25 Jan 2013 11:09:14 -0500
Message-Id: <201301251609.r0PG9ERd006521@defiant.network>
To: <proteus@defiant.network>
From: OSSEC HIDS <ossecm@defiant.network>
Date: Fri, 25 Jan 2013 11:09:14 -0500
Subject: OSSEC Notification - defiant - Alert level 7

OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/SOURCES.txt' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/PKG-INFO' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/zip-safe' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/top_level.txt' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/dependency_links.txt' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION



OSSEC HIDS Notification.
2013 Jan 25 11:09:03

Received From: defiant->rootcheck
Rule: 510 fired (level 7) -> "Host-based anomaly detection event (rootcheck)."
Portion of the log(s):

File '/usr/lib/python2.7/site-packages/distribute-0.6.32-py2.7.egg-info/entry_points.txt' is owned by root and has written permissions to anyone.



 --END OF NOTIFICATION
Indeed, those files have permissions rw-rw-rw-. Methinks this may be a problem.

Edit: From cursory Googling, the correct permissions are 0644 for those files, not 0666.
User avatar
sqlpython
Donor
Posts: 310
Joined: 13. Aug 2010, 04:53
Location: Ct. USA

Re: [Security] Permissions incorrect on some of Python's fil

Post by sqlpython »

I checked my Salix install which is 13.1 and uses python 2.6 where the Problem does not exist.
My installs of Debian Wheezy & Sid as well as Arch and Gentoo have python 2.7 and python 3.
The afore mentioned installs are ok without any such Write issues to listed python files.

end of transmit.. :)
Slackware ( Manjaro ) Salix, AntiX, Bunsen, Calculate
User avatar
jayseye
Posts: 233
Joined: 24. Jul 2011, 17:22
Location: Brownsmead, Oregon (Center of the Universe)

Re: [Security] Permissions incorrect on some of Python's fil

Post by jayseye »

Running Salix 13.37 Fluxbox, I do find a similar situation. All files in this directory are owned by root and world-writable:

Code: Select all

/usr/lib/python2.6/site-packages/distribute-0.6.32-py2.6.egg/EGG-INFO/

Does anyone know whether this poses a security risk? If so, it's likely an upstream issue, as the distribute package is a user add-on, rather than one shipped by default IIRC. It's a very popular package, though.

In any case, if there really is a risk here, users may want to fix those file permissions. So a definitive answer would be welcome!
User avatar
sqlpython
Donor
Posts: 310
Joined: 13. Aug 2010, 04:53
Location: Ct. USA

Re: [Security] Permissions incorrect on some of Python's fil

Post by sqlpython »

^ Well seems Jones has found via Google that permissions can/should be corrected.
I would suggest that GJones post the Google link and Users can make up their minds as to the validity.
Slackware ( Manjaro ) Salix, AntiX, Bunsen, Calculate
GJones
Donor
Posts: 300
Joined: 22. Jul 2011, 23:27

Re: [Security] Permissions incorrect on some of Python's fil

Post by GJones »

Can do:
https://bugs.archlinux.org/task/30020

Not the same problem, but according to that Arch bug report the correct permissions are 644. I set the above files to 644 manually and did not have any problems.
GJones
Donor
Posts: 300
Joined: 22. Jul 2011, 23:27

Re: [Security] Permissions incorrect on some of Python's fil

Post by GJones »

jayseye wrote:Running Salix 13.37 Fluxbox, I do find a similar situation. All files in this directory are owned by root and world-writable:

Code: Select all

/usr/lib/python2.6/site-packages/distribute-0.6.32-py2.6.egg/EGG-INFO/

Does anyone know whether this poses a security risk? If so, it's likely an upstream issue, as the distribute package is a user add-on, rather than one shipped by default IIRC. It's a very popular package, though.

In any case, if there really is a risk here, users may want to fix those file permissions. So a definitive answer would be welcome!
Well, the files are world-writable; which means that, if they're loaded by Wicd or some other daemon that uses Python, they could maybe be tampered with in a way that allows a root shell. Can't give a definitive answer, but I'd say that's cause for concern. :)
User avatar
jayseye
Posts: 233
Joined: 24. Jul 2011, 17:22
Location: Brownsmead, Oregon (Center of the Universe)

Re: [Security] Permissions incorrect on some of Python's fil

Post by jayseye »

Actually this link reports the opposite type of problem, where files are write protected, but they actually need to be world writable:
That's exactly why I'd like to find a definitive answer before changing any permissions. :wink:
GJones
Donor
Posts: 300
Joined: 22. Jul 2011, 23:27

Re: [Security] Permissions incorrect on some of Python's fil

Post by GJones »

World readable, not world writable. 644 is world readable but writable only by the owner. ;)

Code: Select all

# touch foo
# chmod 644 foo
# ls -l
total 0
-rw-r--r-- 1 root root 0 Jan 26 07:21 foo
User avatar
jayseye
Posts: 233
Joined: 24. Jul 2011, 17:22
Location: Brownsmead, Oregon (Center of the Universe)

Re: [Security] Permissions incorrect on some of Python's fil

Post by jayseye »

Sigh. :cry:
GJones
Donor
Posts: 300
Joined: 22. Jul 2011, 23:27

Re: [Security] Permissions incorrect on some of Python's fil

Post by GJones »

Well, the permissions on everything other than the files in the distribute-0.6.32-py2.6.egg dir are 644. :|

I tried to verify the permissions on OpenSUSE, but OpenSUSE's Python 2.7 does not have that directory; so I guess it is an upstream issue with Slackware. :(
Post Reply