Martin Schulze wrote:
Joey Hess wrote:If the security team wants to release an advisory for sarge and include this update to base-config instead of a manual chmod command, that's fine. base-config is the owner of record for the log files in sarge, after all.What would be the proper fix to this? Does only fixing base-config make the bug go away for both new installations and existing installations? On my machines base-config seems to be purged, on some others it has status rc, which is not better either.
Would base-files be a better place for existing installations? It is marked essential.
-Mikko
Only in base-files-3.1.9.sarge.mkr1: build diff -ru base-files-3.1.9/debian/changelog base-files-3.1.9.sarge.mkr1/debian/changelog --- base-files-3.1.9/debian/changelog 2005-09-30 19:52:01.000000000 +0300 +++ base-files-3.1.9.sarge.mkr1/debian/changelog 2005-12-07 15:19:02.244730984 +0200 @@ -1,3 +1,10 @@ +base-files (3.1.9.sarge.mkr1) unstable; urgency=low + + * Added preinst script to remove /var/log/debian-installer/cdebconf + group and other write permissions. + + -- Mikko Rapeli <mikko.rapeli@vtt.fi> Wed, 7 Dec 2005 15:18:42 +0200 + base-files (3.1.9) unstable; urgency=low * The file /etc/inputrc is now handled by readline-common. Only in base-files-3.1.9.sarge.mkr1/debian: files Only in base-files-3.1.9.sarge.mkr1/debian: preinst diff -ru base-files-3.1.9/debian/preinst.in base-files-3.1.9.sarge.mkr1/debian/preinst.in --- base-files-3.1.9/debian/preinst.in 2001-03-17 20:28:32.000000000 +0200 +++ base-files-3.1.9.sarge.mkr1/debian/preinst.in 2005-12-07 15:18:08.567891104 +0200 @@ -19,3 +19,17 @@ if dpkg --compare-versions "$2" lt-nl "2.2.6"; then echo "#VERSION#" > /etc/debian_version fi + +# debian-installer sarge version leaves $CDEBCONF writable to all. +# The directory is not owned by any package in sarge, but base-files +# is close to debian-installer so adding this simple script is not +# that big of a violation. Following lines do not need to be in post sarge +# base-files package. +# +# Note: The directory content may have been modified by any user on the system. + +CDEBCONF="/var/log/debian-installer/cdebconf" +# Remove group and other write rights. maxdepth 0 scans only the specified file. +if [ -n $( find $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then + chmod go-w $CDEBCONF +fi Only in base-files-3.1.9.sarge.mkr1/debian: tmp