Bug#340981: debian-installer and world writable directories
Joey Hess wrote:
> Mikko Rapeli wrote:
> > Joey Hess wrote:
> > >Yes, the installation-report package owns the logs post sarge. In sarge,
> > >purging base-config will remove the logs, but users may not want to do
> > >that.
> >
> > Great, but may I propose that base-config adopts installation logs in
> > sarge?
> >
> > At least this patch seems quite simple. It just removes the write
> > permissions in a base-config update. Since the directory was open for
> > writing quite a while, manual inspection of the contents by the admin is
> > a must though.
>
> If the security team wants to release an advisory for sarge and include
> this update to base-config instead of a manual chmod command, that's
> fine. base-config is the owner of record for the log files in sarge,
> after all.
What would be the proper fix to this? Does only fixing base-config make
the bug go away for both new installations and existing installations?
On my machines base-config seems to be purged, on some others it has
status rc, which is not better either.
In the bug report you speak about a bug in genext2fs, so I guess
this one requires a fix as well.
Regards,
Joey
--
Have you ever noticed that "General Public Licence" contains the word "Pub"?
Please always Cc to me when replying to me on the lists.
Reply to: