every day my security output reports these changes. Sure, it's no big deal, and I can just ignore it, but why is sabnzbd setting files with setuid at all? This a huge security risk especially if sabnzbd is run as root, which I'm sure someone out there is doing. Having files setuid as well as having them write permission? BAD combo.Checking setuid files and devices:
myhost.org setuid diffs:
--- /var/log/setuid.today 2009-05-09 03:16:15.000000000 -0700
+++ /tmp/security.Nk3iyE3O 2009-05-10 03:15:16.289403503 -0700
@@ -111,9 +111,13 @@
8780 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_1ckNb5
10003 -rwsrwsrwt 1 debonair wheel 163840 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_1fj6v4
9999 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_20-sch
+ 19142 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_8FkoP0
10002 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Iao67Z
+ 19144 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_KIRSrs
8778 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_McZu-c
9998 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Q21ZEf
+ 19143 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_V_AsRU
10000 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Ys6A3h
+ 19145 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_aq0Lxm
8779 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_hDsGen
10001 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_s5SkKk
sabnzbd should not, need not modify setuid permissions
Forum rules
Help us help you:
Help us help you:
- Are you using the latest stable version of SABnzbd? Downloads page.
- Tell us what system you run SABnzbd on.
- Adhere to the forum rules.
- Do you experience problems during downloading?
Check your connection in Status and Interface settings window.
Use Test Server in Config > Servers.
We will probably ask you to do a test using only basic settings. - Do you experience problems during repair or unpacking?
Enable +Debug logging in the Status and Interface settings window and share the relevant parts of the log here using [ code ] sections.
sabnzbd should not, need not modify setuid permissions
Re: sabnzbd should not, need not modify setuid permissions
Isn't this what you asked it do?
You specify the permission bits, which value did you use?
You specify the permission bits, which value did you use?
Re: sabnzbd should not, need not modify setuid permissions
These are the default settings. I would think that one would want different permissions between files and folders...
i.e. dirs to be +x and files not to be. Perhaps a common setting like 755 for dir, and 644 for files.
i.e. dirs to be +x and files not to be. Perhaps a common setting like 755 for dir, and 644 for files.
Re: sabnzbd should not, need not modify setuid permissions
By default, the permissions are not set at all.
At the start of the program the umask is set to private files only (so effectively u+rx).
Only when you set the "permissions" field in Config->Folders, the permissions will be
explicitly set for the final result.
Do you have a sticky bit set on the highest folder?
At the start of the program the umask is set to private files only (so effectively u+rx).
Only when you set the "permissions" field in Config->Folders, the permissions will be
explicitly set for the final result.
Do you have a sticky bit set on the highest folder?
Re: sabnzbd should not, need not modify setuid permissions
No, I don't. But please note that it's not the final directory that has the permission problem, but the cache directory, and I have no control over how to set permissions there.
Re: sabnzbd should not, need not modify setuid permissions
For the cache folder, SABnzbd relies on correct settings for the existing folder.
If it needs to create the folder by itself (because it did not exist) it creates it
under the user account the program runs under and tells the OS that the files are private.
On my system at least (Ubuntu) and on OSX only folders get the X-bit, not the files.
What kind of OS do you use?
If it needs to create the folder by itself (because it did not exist) it creates it
under the user account the program runs under and tells the OS that the files are private.
On my system at least (Ubuntu) and on OSX only folders get the X-bit, not the files.
What kind of OS do you use?
Re: sabnzbd should not, need not modify setuid permissions
cache_dir = /void/nzb_etc/cache
that folder is set to 0755
FreeBSD 7.2-RELEASE
Example folder output:
The security email I got this morning indicated that setuid changed only on files from January. (jan 4 and jan 7)
that folder is set to 0755
FreeBSD 7.2-RELEASE
Example folder output:
note that only some files are getting it.-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_JCk_8Z
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_Ja1ryi
-rw------- 1 debonair wheel 244K Jan 4 12:33 SABnzbd_article_JorWyg
-rwsrwsrwt 1 debonair wheel 244K May 9 10:53 SABnzbd_article_KIRSrs
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_KbRA-H
-rw------- 1 debonair wheel 244K Jan 31 20:39 SABnzbd_article_KbgA6b
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_Kd40BN
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_L9dvSA
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_LmpSRf
-rwsrwsrwt 1 debonair wheel 244K Jan 4 05:20 SABnzbd_article_McZu-c
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_Muse-7
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_NCUhT8
-rw------- 1 debonair wheel 375K Jan 7 09:28 SABnzbd_article_NMmes5
-rw------- 1 debonair wheel 377K Mar 7 08:45 SABnzbd_article_NXJcmo
-rw------- 1 debonair wheel 375K Jan 7 09:28 SABnzbd_article_NkaGvg
-rw------- 1 debonair wheel 244K Jan 31 20:40 SABnzbd_article_NzFuce
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_O1_BNc
-rw------- 1 debonair wheel 375K Jan 17 07:46 SABnzbd_article_ODZbbn
-rw------- 1 debonair wheel 375K Jan 7 09:29 SABnzbd_article_OJ4yLS
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_OJTI8Q
-rw------- 1 debonair wheel 244K Mar 28 12:18 SABnzbd_article_OXxhkz
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_OhTowj
The security email I got this morning indicated that setuid changed only on files from January. (jan 4 and jan 7)