Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)

To: Wichert Akkerman <wichert@cistron.nl>
Cc: debian-devel@lists.debian.org
Subject: Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)
From: Scott A Crosby <crosby@qwes.math.cmu.edu>
Date: Fri, 11 Feb 2000 09:18:15 -0500 (EST)
Message-id: <Pine.LNX.4.10.10002110842450.2752-100000@qwe4.math.cmu.edu>
In-reply-to: <20000211132132.F17638@liacs.nl>

On Fri, 11 Feb 2000, Wichert Akkerman wrote:

> 
> (cc'ed to debian-devel so others will not make the same mistake)
> 

If you've done that, then I would also suggest looking at other packages,
I found several examples of this problem in the packages I have installed.

I ran a

>>>
find /etc /usr /var  \( -type f -o -type d \) -perm +002 -print0 | xargs
-0 ls -ld --color=yes | less -r
<<<

and submitted 8 bug reports on world-writable files and directories
yesterday. Having someone else go over all of the packages to find other  
instances and also make sure that these get fixed is a good idea.

My search also found another misfeature: unzip appears to create its files
a+rw.

I don't know if I hit every example, but I hit quite a few, I also wasn't
sure whether the /var/lib/emacs/lock was or was not a bug, and did not
submit a report.

.   Games which are not setgid and make world-writable savefiles/logfiles.
.   /var/lib/emacs/lock
.   tetex's font cache. (/var/spool/texmf/*)

I fixed some of the more egragarious ones locally, but the current list
that I see right now includes:

-rw-rw-rw-    1 root     root      4442112 Jan 12 01:44
/var/cache/crafty/book.bin
-rw-rw-rw-    1 root     root            0 Jan 12 01:44
/var/cache/crafty/book.lrn
-rw-rw-rw-    1 root     root       132664 Jan 12 01:44
/var/cache/crafty/books.bin
-rw-rw-rw-    1 root     root            8 Jan 12 01:44
/var/cache/crafty/position.bin
-rw-rw-rw-    1 root     root            9 Jan 12 01:44
/var/cache/crafty/position.lrn
drwxrwxrwx    2 root     root         1024 Jan 20 13:14
/var/lib/emacs/lock
-rw-rw-rw-    1 crosby   games          59 Jan 25 23:34
/var/lib/games/mirrormagic/RAY.names
-rw-rw-rw-    1 crosby   games       16000 Jan 25 23:34
/var/lib/games/mirrormagic/RAY.score
-rw-rw-rw-    1 root     games         362 Jan 21 00:21
/var/log/crossfire.log
-rw-rw-rw-    1 root     root          129 Feb 11 06:25
/var/run/cfengine/cfengine.dragonlight.runlog

The bug reports I sent: 
Subject: Bug#57739: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57740: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57741: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57742: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57743: Acknowledgement (Security: Many files are kept a+w)
Subject: Bug#57744: Acknowledgement (Security: Files are kept a+w)
Subject: Bug#57745: Acknowledgement (Security: Files are kept a+w)
Subject: Bug#57746: Acknowledgement (Security: Directories are kept a+w)

on packages:

Package: zangband
Version: 1:2.2.7-1
Package: mlgtk
Version: 1.2.1.2000.01.10-4
Package: crafty
Version: 17.6-1
Package: mirrormagic
Version: 1.3-21
Package: xmcd
Version: 2.5pl1-3
Package: crossfire-server
Version: 0.95.4-2
Package: cfengine
Version: 1.5.3-2
Package: tetex-base
Version: 1.0-7

the maintainers of zangband and cfengine claim to have fixed or are fixing
the problem.

Reply to:

Follow-Ups:
- Re: Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)
  - From: Colin Phipps <crp22@cam.ac.uk>
- Re: Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)
  - From: Adrian Bridgett <adrian.bridgett@iname.com>

References:
- Re: Bug#57740: Security: Many files are kept a+w
  - From: Wichert Akkerman <wichert@cistron.nl>

Prev by Date: Re: [PADS] The Corel LINUX Install Process: Under the Hood
Next by Date: Re: Debian for kids (long)
Previous by thread: Re: Bug#57740: Security: Many files are kept a+w
Next by thread: Re: Other files a+w, (was Re: Bug#57740: Security: Many files are kept a+w)
Index(es):
- Date
- Thread