Bug#340981: debian-installer and world writable directories
Joey Hess wrote:
Yes, the installation-report package owns the logs post sarge. In sarge,
purging base-config will remove the logs, but users may not want to do
that.
Great, but may I propose that base-config adopts installation logs in
sarge?
At least this patch seems quite simple. It just removes the write
permissions in a base-config update. Since the directory was open for
writing quite a while, manual inspection of the contents by the admin is
a must though.
-Mikko
diff -Nu base-config-2.53.10/debian/changelog base-config-2.53.10.sarge.mkr1/debian/changelog
--- base-config-2.53.10/debian/changelog 2005-05-15 21:56:15.000000000 +0300
+++ base-config-2.53.10.sarge.mkr1/debian/changelog 2005-11-30 17:31:58.007806120 +0200
@@ -1,3 +1,10 @@
+base-config (2.53.10.sarge.mkr1) testing; urgency=low
+
+ * Added preinst script to remove /var/log/debian-installer/cdebconf
+ group and other write permissions.
+
+ -- Mikko Rapeli <mikko.rapeli@vtt.fi> Wed, 30 Nov 2005 17:31:34 +0200
+
base-config (2.53.10) testing; urgency=low
* Christian Perrier
Common subdirectories: base-config-2.53.10/debian/po and base-config-2.53.10.sarge.mkr1/debian/po
diff -Nu base-config-2.53.10/debian/preinst base-config-2.53.10.sarge.mkr1/debian/preinst
--- base-config-2.53.10/debian/preinst 1970-01-01 02:00:00.000000000 +0200
+++ base-config-2.53.10.sarge.mkr1/debian/preinst 2005-11-30 17:23:54.770269392 +0200
@@ -0,0 +1,18 @@
+#!/bin/sh
+#DEBHELPER#
+set -e
+
+CDEBCONF="/var/log/debian-installer/cdebconf"
+
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-config
+# is closest to debian-installer so adding this simple script is not
+# that big of a violation. This script does not need to be in post sarge
+# base-config package.
+
+# Note: The directory content may have been modified by any user on the system.
+
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+ chmod go-w $CDEBCONF
+fi
Reply to: