SABnzbd Forums

Posted: **May 10th, 2009, 11:13 am**

Checking setuid files and devices:

myhost.org setuid diffs:
--- /var/log/setuid.today 2009-05-09 03:16:15.000000000 -0700
+++ /tmp/security.Nk3iyE3O 2009-05-10 03:15:16.289403503 -0700
@@ -111,9 +111,13 @@
8780 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_1ckNb5
10003 -rwsrwsrwt 1 debonair wheel 163840 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_1fj6v4
9999 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_20-sch
+ 19142 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_8FkoP0
10002 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Iao67Z
+ 19144 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_KIRSrs
8778 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_McZu-c
9998 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Q21ZEf
+ 19143 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_V_AsRU
10000 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_Ys6A3h
+ 19145 -rwsrwsrwt 1 debonair wheel 249600 May 9 10:53:56 2009 /void/nzb_etc/cache/SABnzbd_article_aq0Lxm
8779 -rwsrwsrwt 1 debonair wheel 249600 Jan 4 05:20:12 2009 /void/nzb_etc/cache/SABnzbd_article_hDsGen
10001 -rwsrwsrwt 1 debonair wheel 384000 Jan 7 02:07:10 2009 /void/nzb_etc/cache/SABnzbd_article_s5SkKk

every day my security output reports these changes. Sure, it's no big deal, and I can just ignore it, but why is sabnzbd setting files with setuid at all? This a huge security risk especially if sabnzbd is run as root, which I'm sure someone out there is doing. Having files setuid as well as having them write permission? BAD combo.

Posted: **May 10th, 2009, 1:34 pm**

Isn't this what you asked it do?
You specify the permission bits, which value did you use?

Posted: **May 10th, 2009, 4:01 pm**

These are the default settings. I would think that one would want different permissions between files and folders...

i.e. dirs to be +x and files not to be. Perhaps a common setting like 755 for dir, and 644 for files.

Posted: **May 11th, 2009, 2:00 am**

By default, the permissions are not set at all.
At the start of the program the umask is set to private files only (so effectively u+rx).
Only when you set the "permissions" field in Config->Folders, the permissions will be
explicitly set for the final result.

Do you have a sticky bit set on the highest folder?

Posted: **May 18th, 2009, 11:04 am**

No, I don't. But please note that it's not the final directory that has the permission problem, but the cache directory, and I have no control over how to set permissions there.

Posted: **May 18th, 2009, 12:05 pm**

For the cache folder, SABnzbd relies on correct settings for the existing folder.
If it needs to create the folder by itself (because it did not exist) it creates it
under the user account the program runs under and tells the OS that the files are private.
On my system at least (Ubuntu) and on OSX only folders get the X-bit, not the files.

What kind of OS do you use?

Posted: **May 21st, 2009, 11:06 am**

cache_dir = /void/nzb_etc/cache

that folder is set to 0755

FreeBSD 7.2-RELEASE

Example folder output:

-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_JCk_8Z
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_Ja1ryi
-rw------- 1 debonair wheel 244K Jan 4 12:33 SABnzbd_article_JorWyg
-rwsrwsrwt 1 debonair wheel 244K May 9 10:53 SABnzbd_article_KIRSrs
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_KbRA-H
-rw------- 1 debonair wheel 244K Jan 31 20:39 SABnzbd_article_KbgA6b
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_Kd40BN
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_L9dvSA
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_LmpSRf
-rwsrwsrwt 1 debonair wheel 244K Jan 4 05:20 SABnzbd_article_McZu-c
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_Muse-7
-rw------- 1 debonair wheel 750K May 9 18:41 SABnzbd_article_NCUhT8
-rw------- 1 debonair wheel 375K Jan 7 09:28 SABnzbd_article_NMmes5
-rw------- 1 debonair wheel 377K Mar 7 08:45 SABnzbd_article_NXJcmo
-rw------- 1 debonair wheel 375K Jan 7 09:28 SABnzbd_article_NkaGvg
-rw------- 1 debonair wheel 244K Jan 31 20:40 SABnzbd_article_NzFuce
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_O1_BNc
-rw------- 1 debonair wheel 375K Jan 17 07:46 SABnzbd_article_ODZbbn
-rw------- 1 debonair wheel 375K Jan 7 09:29 SABnzbd_article_OJ4yLS
-rw------- 1 debonair wheel 244K Jan 31 22:00 SABnzbd_article_OJTI8Q
-rw------- 1 debonair wheel 244K Mar 28 12:18 SABnzbd_article_OXxhkz
-rw------- 1 debonair wheel 244K May 9 10:22 SABnzbd_article_OhTowj

note that only some files are getting it.

The security email I got this morning indicated that setuid changed only on files from January. (jan 4 and jan 7)

SABnzbd Forums

sabnzbd should not, need not modify setuid permissions

sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions

Re: sabnzbd should not, need not modify setuid permissions