Bug#287018: apache-common: postinst should fix permissions and ownership of mod-bandwidth directory

To: Debian Bug Tracking System <287018@bugs.debian.org>
Subject: Bug#287018: apache-common: postinst should fix permissions and ownership of mod-bandwidth directory
From: Pedro Zorzenon Neto <pzn@debian.org>
Date: Sun, 29 Jan 2006 16:18:03 -0200
Message-id: <[🔎] 20060129181803.GA12286@sete.vztech>
Reply-to: Pedro Zorzenon Neto <pzn@debian.org>, 287018@bugs.debian.org

Package: apache-common
Version: 1.3.33-6sarge1
Followup-For: Bug #287018
Tags: security

  Hi,

    New versions of apache-common (1.3.33-6sarge1) already create the
directory /var/lib/apache/mod-bandwidth with NOT world writeable
permissions; so no problems with newer debian installations.

    However, if the user updates from previous version package, it will
not fix the permissions.

    The user can successfully attack the machine filling all the hard
disk partition of /var; it will probably be a local denial of service
attack. I'm tagging "security" this bug. Please check if the severity
needs to be changed to grave/critical.

    I suggest "postinst" to fix this permissions. I tested this issue
and at least one debian server is vulnerable too; I wrote data to
/var/lib/apache/mod-bandwidth/ directory successfully.

    Thanks in advance,
    Pedro

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-k7
Locale: LANG=pt_BR.UTF-8, LC_CTYPE=pt_BR.UTF-8 (charmap=UTF-8)

Versions of packages apache-common depends on:
ii  apache2-utils       2.0.54-5             utility programs for webservers
ii  debconf             1.4.30.13            Debian configuration management sy
ii  dillo [www-browser] 0.8.3-1              GTK-based web browser
ii  elinks [www-browser 0.10.4-7             advanced text-mode WWW browser
ii  galeon [www-browser 1.3.20-1             GNOME web browser for advanced use
ii  konqueror [www-brow 4:3.3.2-1sarge1      KDE's advanced File Manager, Web B
ii  libc6               2.3.2.ds1-22         GNU C Library: Shared libraries an
ii  libdb4.2            4.2.52-18            Berkeley v4.2 Database Libraries [
ii  libexpat1           1.95.8-3             XML parsing C library - runtime li
ii  links [www-browser] 0.99+1.00pre12-1     Character mode WWW browser
ii  lynx [www-browser]  2.8.5-2sarge1        Text-mode WWW Browser
ii  mime-support        3.28-1               MIME files 'mime.types' & 'mailcap
ii  mozilla-browser [ww 2:1.7.8-1sarge3      The Mozilla Internet application s
hi  mozilla-firefox [ww 1.0.4-2sarge3        lightweight web browser based on M
ii  perl                5.8.4-8              Larry Wall's Practical Extraction 
ii  sed                 4.1.2-8              The GNU sed stream editor
ii  ucf                 1.17                 Update Configuration File: preserv
ii  w3-el-e21 [www-brow 4.0pre.2001.10.27-16 Web browser for GNU Emacs 21
ii  w3m [www-browser]   0.5.1-3              WWW browsable pager with excellent

-- debconf information excluded

Reply to:

Prev by Date: Bug#350359: libapache-mod-perl unable to install or remove - breaks apt.
Next by Date: Processed: tag
Previous by thread: beat, of ahead
Next by thread: Processed: tag
Index(es):
- Date
- Thread