sabnzbd should not, need not modify setuid permissions

[eydaimon]

Checking setuid files and devices:

myhost.org setuid diffs:
--- /var/log/setuid.today 2009-05-09 03:16:15.000000000 -0700
+++ /tmp/security.Nk3iyE3O 2009-05-10 03:15:16.289403503 -0700
@@ -111,9 +111,13 @@
    8780 -rwsrwsrwt  1 debonair  wheel      249600 Jan  4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_1ckNb5
  10003 -rwsrwsrwt  1 debonair  wheel      163840 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_1fj6v4
    9999 -rwsrwsrwt  1 debonair  wheel      384000 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_20-sch
+  19142 -rwsrwsrwt  1 debonair  wheel      249600 May  9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_8FkoP0
  10002 -rwsrwsrwt  1 debonair  wheel      384000 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Iao67Z
+  19144 -rwsrwsrwt  1 debonair  wheel      249600 May  9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_KIRSrs
    8778 -rwsrwsrwt  1 debonair  wheel      249600 Jan  4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_McZu-c
    9998 -rwsrwsrwt  1 debonair  wheel      384000 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Q21ZEf
+  19143 -rwsrwsrwt  1 debonair  wheel      249600 May  9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_V_AsRU
  10000 -rwsrwsrwt  1 debonair  wheel      384000 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Ys6A3h
+  19145 -rwsrwsrwt  1 debonair  wheel      249600 May  9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_aq0Lxm
    8779 -rwsrwsrwt  1 debonair  wheel      249600 Jan  4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_hDsGen
  10001 -rwsrwsrwt  1 debonair  wheel      384000 Jan  7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_s5SkKk

every day my security output reports these changes. Sure, it's no big deal, and I can just ignore it, but why is sabnzbd setting files with setuid at all? This a huge security risk especially if sabnzbd is run as root, which I'm sure someone out there is doing. Having files setuid as well as having them write permission? BAD combo.

[shypike]

Isn't this what you asked it do?
You specify the permission bits, which value did you use?

[eydaimon]

These are the default settings. I would think that one would want different permissions between files and folders...

i.e. dirs to be +x and files not to be. Perhaps a common setting like 755 for dir, and 644 for files.

[shypike]

By default, the permissions are not set at all.
At the start of the program the umask is set to private files only (so effectively u+rx).
Only when you set the "permissions" field in Config->Folders, the permissions will be
explicitly set for the final result.

Do you have a sticky bit set on the highest folder?

[eydaimon]

No, I don't.  But please note that it's not the final directory that has the permission problem, but the cache directory, and I have no control over how to set permissions there.

[shypike]

For the cache folder, SABnzbd relies on correct settings for the existing folder.
If it needs to create the folder by itself (because it did not exist) it creates it
under the user account the program runs under and tells the OS that the files are private.
On my system at least (Ubuntu) and on OSX only folders get the X-bit,  not the files.

What kind of OS do you use?

[eydaimon]

cache_dir = /void/nzb_etc/cache

that folder is set to 0755

FreeBSD 7.2-RELEASE

Example folder output:

-rw-------  1 debonair  wheel   244K May  9 10:22 SABnzbd_article_JCk_8Z
-rw-------  1 debonair  wheel   750K May  9 18:41 SABnzbd_article_Ja1ryi
-rw-------  1 debonair  wheel   244K Jan  4 12:33 SABnzbd_article_JorWyg
-rwsrwsrwt  1 debonair  wheel   244K May  9 10:53 SABnzbd_article_KIRSrs
-rw-------  1 debonair  wheel   244K May  9 10:22 SABnzbd_article_KbRA-H
-rw-------  1 debonair  wheel   244K Jan 31 20:39 SABnzbd_article_KbgA6b
-rw-------  1 debonair  wheel   750K May  9 18:41 SABnzbd_article_Kd40BN
-rw-------  1 debonair  wheel   244K May  9 10:22 SABnzbd_article_L9dvSA
-rw-------  1 debonair  wheel   244K Jan 31 22:00 SABnzbd_article_LmpSRf
-rwsrwsrwt  1 debonair  wheel   244K Jan  4 05:20 SABnzbd_article_McZu-c
-rw-------  1 debonair  wheel   244K May  9 10:22 SABnzbd_article_Muse-7
-rw-------  1 debonair  wheel   750K May  9 18:41 SABnzbd_article_NCUhT8
-rw-------  1 debonair  wheel   375K Jan  7 09:28 SABnzbd_article_NMmes5
-rw-------  1 debonair  wheel   377K Mar  7 08:45 SABnzbd_article_NXJcmo
-rw-------  1 debonair  wheel   375K Jan  7 09:28 SABnzbd_article_NkaGvg
-rw-------  1 debonair  wheel   244K Jan 31 20:40 SABnzbd_article_NzFuce
-rw-------  1 debonair  wheel   244K Jan 31 22:00 SABnzbd_article_O1_BNc
-rw-------  1 debonair  wheel   375K Jan 17 07:46 SABnzbd_article_ODZbbn
-rw-------  1 debonair  wheel   375K Jan  7 09:29 SABnzbd_article_OJ4yLS
-rw-------  1 debonair  wheel   244K Jan 31 22:00 SABnzbd_article_OJTI8Q
-rw-------  1 debonair  wheel   244K Mar 28 12:18 SABnzbd_article_OXxhkz
-rw-------  1 debonair  wheel   244K May  9 10:22 SABnzbd_article_OhTowj

note that only some files are getting it.

The security email I got this morning indicated that setuid changed only on files from January. (jan 4 and jan 7)