Bug#254068: base-config log should not be world readable

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#254068: base-config log should not be world readable
From: Vassilii Khachaturov <vassilii@tarunz.org>
Date: Sat, 12 Jun 2004 22:06:05 +0300
Message-id: <[🔎] E1BZDpN-0002DG-RM@Ilmarinen>
Reply-to: Vassilii Khachaturov <vassilii@tarunz.org>, 254068@bugs.debian.org

Package: base-config
Version: 2.25
Severity: normal
Tags: security

I believe that the base-config logs should not be world readable.
Some of the packages ask for passwords that are echoed back during
the configuration (e.g. pppoeconf), albeit stored later in files
not readable by the world.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.4.25-1-686
Locale: LANG=ru_RU.KOI8-R, LC_CTYPE=ru_RU.KOI8-R

Versions of packages base-config depends on:
ii  adduser                 3.56             Add and remove users and groups
ii  apt                     0.5.25           Advanced front-end for dpkg
ii  aptitude                0.2.14-3         curses-based apt frontend
ii  bsdutils                1:2.12-3         Basic utilities from 4.4BSD-Lite
ii  console-data            2002.12.04dbs-40 Keymaps, fonts, charset maps, fall
ii  console-tools           1:0.2.3dbs-52    Linux console and font utilities
ii  debconf                 1.4.25           Debian configuration management sy
ii  debianutils             2.8.2            Miscellaneous utilities specific t
ii  gettext-base            0.14.1-2         GNU Internationalization utilities
ii  passwd                  1:4.0.3-28.3     Change and administer password and

-- debconf information:
  tzconfig/choose_country_zone_single: true
  base-config/menu/mta: 
  tzconfig/select_zone: 
  tzconfig/verify_choices: true
  tzconfig/choose_country_zone/BR: East
* base-config/intro: 
  apt-setup/security-updates: true
  apt-setup/another: false
  mirror/distribution: testing
  base-config/title: 
  base-config/menu/finish: 
  debian-installer/language: en
* apt-setup/mirror: ftp.freenet.de
  base-config/start-display-manager: true
  base-config/menu/apt-setup: 
  base-config/menu/keyboard: 
  tzconfig/title: 
  debian-installer/country: US
  apt-setup/directory: /pub/ftp.debian.org/debian/
* base-config/install-problem: 
* tzconfig/change_timezone: false
* base-config/pkgsel: tasksel - quickly choose from predefined collections of software
  base-config/menu/hostname: 
  apt-setup/cd/another: false
  apt-setup/non-free: false
  apt-setup/badedit: 
  apt-setup/non-us: true
  mirror/suite: testing
  apt-setup/baddir: 
  base-config/menu/pkgsel: 
  base-config/menu/apt-get: 
  base-config/menu/timezone: 
  base-config/menu/intro: 
  base-config/menu/passwd: 
  apt-setup/hostname: ftp.freenet.de
  base-config/menu/pon: 
* base-config/login: 
* tzconfig/gmt: true
  apt-setup/title: 
  mirror/http/proxy: 
  apt-setup/contrib: true
  apt-setup/non-us-failed: 
  base-config/main-menu: Set up users and passwords
* tzconfig/geographic_area: Asia
  apt-setup/cd/dev: /dev/cdrom
* apt-setup/country: Germany
  debian-installer/keymap: us
  apt-setup/badsource: 
  base-config/use-ppp: false
  apt-setup/uri_type: ftp
  tzconfig/choose_country_zone/US: Eastern
* base-config/get-hostname: ilmarinen
  apt-setup/not-mirror: 
  tzconfig/choose_country_zone_multiple: 
  tzconfig/choose_country_zone/CA: Eastern
  apt-setup/security-updates-failed: 
  base-config/menu/shell: 
  apt-setup/cd/bad: 
* base-config/invalid-hostname:

Reply to:

Follow-Ups:
- Bug#254068: base-config log should not be world readable
  - From: Christian Perrier <bubulle@debian.org>

Prev by Date: Bug#254059: elilo is also available on i386.
Next by Date: Bug#254071: debian-installer: installation 2.6 fails to detect SATA hd, no partitioning possible
Previous by thread: busybox-cvs_20040612-1_i386.changes ACCEPTED
Next by thread: Bug#254068: base-config log should not be world readable
Index(es):
- Date
- Thread