Bug#340981: debian-installer and world writable directories

To: Joey Hess <joeyh@debian.org>
Cc: 340981@bugs.debian.org, team@security.debian.org
Subject: Bug#340981: debian-installer and world writable directories
From: Mikko Rapeli <mikko.rapeli@vtt.fi>
Date: Wed, 30 Nov 2005 17:54:05 +0200
Message-id: <[🔎] 438DCB1D.9000900@vtt.fi>
Reply-to: Mikko Rapeli <mikko.rapeli@vtt.fi>, 340981@bugs.debian.org
In-reply-to: <[🔎] 20051129183836.GB31521@kitenet.net>
References: <[🔎] 4389D098.7020003@vtt.fi> <[🔎] 20051128224052.GE14159@kitenet.net> <[🔎] 438C0A5D.5000904@vtt.fi> <[🔎] 20051129183836.GB31521@kitenet.net>

Joey Hess wrote:

Yes, the installation-report package owns the logs post sarge. In sarge,
purging base-config will remove the logs, but users may not want to do
that.

Great, but may I propose that base-config adopts installation logs insarge?

At least this patch seems quite simple. It just removes the writepermissions in a base-config update. Since the directory was open forwriting quite a while, manual inspection of the contents by the admin isa must though.


-Mikko

diff -Nu base-config-2.53.10/debian/changelog base-config-2.53.10.sarge.mkr1/debian/changelog
--- base-config-2.53.10/debian/changelog	2005-05-15 21:56:15.000000000 +0300
+++ base-config-2.53.10.sarge.mkr1/debian/changelog	2005-11-30 17:31:58.007806120 +0200
@@ -1,3 +1,10 @@
+base-config (2.53.10.sarge.mkr1) testing; urgency=low
+
+  * Added preinst script to remove /var/log/debian-installer/cdebconf
+    group and other write permissions.
+
+ -- Mikko Rapeli <mikko.rapeli@vtt.fi>  Wed, 30 Nov 2005 17:31:34 +0200
+
 base-config (2.53.10) testing; urgency=low
 
   * Christian Perrier
Common subdirectories: base-config-2.53.10/debian/po and base-config-2.53.10.sarge.mkr1/debian/po
diff -Nu base-config-2.53.10/debian/preinst base-config-2.53.10.sarge.mkr1/debian/preinst
--- base-config-2.53.10/debian/preinst	1970-01-01 02:00:00.000000000 +0200
+++ base-config-2.53.10.sarge.mkr1/debian/preinst	2005-11-30 17:23:54.770269392 +0200
@@ -0,0 +1,18 @@
+#!/bin/sh
+#DEBHELPER#
+set -e
+
+CDEBCONF="/var/log/debian-installer/cdebconf"
+
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-config
+# is closest to debian-installer so adding this simple script is not
+# that big of a violation. This script does not need to be in post sarge
+# base-config package. 
+
+# Note: The directory content may have been modified by any user on the system.
+
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find  $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+	chmod go-w $CDEBCONF
+fi

Reply to:

Follow-Ups:
- Bug#340981: debian-installer and world writable directories
  - From: Joey Hess <joeyh@debian.org>

References:
- Bug#340981: debian-installer and world writable directories
  - From: Mikko Rapeli <mikko.rapeli@vtt.fi>
- Re: Bug#340981: debian-installer and world writable directories
  - From: Joey Hess <joeyh@debian.org>
- Bug#340981: debian-installer and world writable directories
  - From: Mikko Rapeli <mikko.rapeli@vtt.fi>
- Bug#340981: debian-installer and world writable directories
  - From: Joey Hess <joeyh@debian.org>

Prev by Date: PXE netboot and preseed file
Next by Date: Re: ancient ieee80211/ipw2200 drivers in recent kernel (2.6.14)
Previous by thread: Bug#340981: debian-installer and world writable directories
Next by thread: Bug#340981: debian-installer and world writable directories
Index(es):
- Date
- Thread