Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)
On Fri, 11 Feb 2000, Wichert Akkerman wrote:
>
> (cc'ed to debian-devel so others will not make the same mistake)
>
If you've done that, then I would also suggest looking at other packages,
I found several examples of this problem in the packages I have installed.
I ran a
>>>
find /etc /usr /var \( -type f -o -type d \) -perm +002 -print0 | xargs
-0 ls -ld --color=yes | less -r
<<<
and submitted 8 bug reports on world-writable files and directories
yesterday. Having someone else go over all of the packages to find other
instances and also make sure that these get fixed is a good idea.
My search also found another misfeature: unzip appears to create its files
a+rw.
I don't know if I hit every example, but I hit quite a few, I also wasn't
sure whether the /var/lib/emacs/lock was or was not a bug, and did not
submit a report.
. Games which are not setgid and make world-writable savefiles/logfiles.
. /var/lib/emacs/lock
. tetex's font cache. (/var/spool/texmf/*)
I fixed some of the more egragarious ones locally, but the current list
that I see right now includes:
-rw-rw-rw- 1 root root 4442112 Jan 12 01:44
/var/cache/crafty/book.bin
-rw-rw-rw- 1 root root 0 Jan 12 01:44
/var/cache/crafty/book.lrn
-rw-rw-rw- 1 root root 132664 Jan 12 01:44
/var/cache/crafty/books.bin
-rw-rw-rw- 1 root root 8 Jan 12 01:44
/var/cache/crafty/position.bin
-rw-rw-rw- 1 root root 9 Jan 12 01:44
/var/cache/crafty/position.lrn
drwxrwxrwx 2 root root 1024 Jan 20 13:14
/var/lib/emacs/lock
-rw-rw-rw- 1 crosby games 59 Jan 25 23:34
/var/lib/games/mirrormagic/RAY.names
-rw-rw-rw- 1 crosby games 16000 Jan 25 23:34
/var/lib/games/mirrormagic/RAY.score
-rw-rw-rw- 1 root games 362 Jan 21 00:21
/var/log/crossfire.log
-rw-rw-rw- 1 root root 129 Feb 11 06:25
/var/run/cfengine/cfengine.dragonlight.runlog
The bug reports I sent:
Subject: Bug#57739: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57740: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57741: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57742: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57743: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57744: Acknowledgement (Security: Files are kept a+w)
Subject: Bug#57745: Acknowledgement (Security: Files are kept a+w)
Subject: Bug#57746: Acknowledgement (Security: Directories are kept a+w)
on packages:
Package: zangband
Version: 1:2.2.7-1
Package: mlgtk
Version: 1.2.1.2000.01.10-4
Package: crafty
Version: 17.6-1
Package: mirrormagic
Version: 1.3-21
Package: xmcd
Version: 2.5pl1-3
Package: crossfire-server
Version: 0.95.4-2
Package: cfengine
Version: 1.5.3-2
Package: tetex-base
Version: 1.0-7
the maintainers of zangband and cfengine claim to have fixed or are fixing
the problem.
Reply to: