Your message dated Thu, 06 Nov 2008 18:37:14 +0200 with message-id <49131D3A.7060905@gmail.com> and subject line closing #449573 has caused the Debian Bug report #449573, regarding sources.list not owned by root to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 449573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449573 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: sources.list not owned by root
- From: jidanni@jidanni.org
- Date: Wed, 07 Nov 2007 01:35:25 +0800
- Message-id: <871wb3gtuq.fsf@jidanni.org>
X-Debbugs-No-Ack: please Package: apt Version: 0.7.9 Severity: wishlist Poking around /etc/apt with ls -o, /etc/apt: drwxr-xr-x 2 root 1024 Nov 7 01:11 apt.conf.d -rw------- 1 root 0 Jan 23 2007 secring.gpg -rw-r--r-- 1 jidanni 491 Nov 7 01:25 sources.list drwxr-xr-x 2 root 1024 Feb 22 2006 sources.list.d -rw------- 1 root 1200 Aug 25 07:14 trustdb.gpg -rw-r--r-- 1 root 18247 Aug 25 07:14 trusted.gpg -rw-r--r-- 1 root 18247 Aug 25 07:14 trusted.gpg~ I noticed: 1. Seems I could get away with having sources.list owned by non-root. Probably no check is done for files and directories to be sure they are owned by root before reading... or maybe who cares. 2. trusted.gpg and backups are world readable. I'm not sure if these are security concerns.
--- End Message ---
--- Begin Message ---
- To: 449573-done@bugs.debian.org
- Subject: closing #449573
- From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
- Date: Thu, 06 Nov 2008 18:37:14 +0200
- Message-id: <49131D3A.7060905@gmail.com>
Hi Jidanni! >Seems I could get away with having sources.list owned by non-root. >Probably no check is done for files and directories to be sure they >are owned by root before reading... or maybe who cares. Why this check is needed? Root usually can read all files. And it seems that you set 'jidanni' as owner by youself. Again, this is not apt's problem. >trusted.gpg and backups are world readable No security concerns as they are not private keys or similar, only signs. Closing this bug by now. If you can reproduce changing the permissions by apt - reopen it (bug). -- Eugene V. Lyubimkin aka JackYFAttachment: signature.asc
Description: OpenPGP digital signature
--- End Message ---