[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#340981: debian-installer and world writable directories

Martin Schulze wrote:
Joey Hess wrote:
If the security team wants to release an advisory for sarge and include
this update to base-config instead of a manual chmod command, that's
fine. base-config is the owner of record for the log files in sarge,
after all.

What would be the proper fix to this?  Does only fixing base-config make
the bug go away for both new installations and existing installations?
On my machines base-config seems to be purged, on some others it has
status rc, which is not better either.

Would base-files be a better place for existing installations? It is marked essential.

Only in base-files-3.1.9.sarge.mkr1: build
diff -ru base-files-3.1.9/debian/changelog base-files-3.1.9.sarge.mkr1/debian/changelog
--- base-files-3.1.9/debian/changelog	2005-09-30 19:52:01.000000000 +0300
+++ base-files-3.1.9.sarge.mkr1/debian/changelog	2005-12-07 15:19:02.244730984 +0200
@@ -1,3 +1,10 @@
+base-files (3.1.9.sarge.mkr1) unstable; urgency=low
+  * Added preinst script to remove /var/log/debian-installer/cdebconf
+    group and other write permissions.
+ -- Mikko Rapeli <mikko.rapeli@vtt.fi>  Wed,  7 Dec 2005 15:18:42 +0200
 base-files (3.1.9) unstable; urgency=low
   * The file /etc/inputrc is now handled by readline-common.
Only in base-files-3.1.9.sarge.mkr1/debian: files
Only in base-files-3.1.9.sarge.mkr1/debian: preinst
diff -ru base-files-3.1.9/debian/preinst.in base-files-3.1.9.sarge.mkr1/debian/preinst.in
--- base-files-3.1.9/debian/preinst.in	2001-03-17 20:28:32.000000000 +0200
+++ base-files-3.1.9.sarge.mkr1/debian/preinst.in	2005-12-07 15:18:08.567891104 +0200
@@ -19,3 +19,17 @@
 if dpkg --compare-versions "$2" lt-nl "2.2.6"; then
   echo "#VERSION#" > /etc/debian_version
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-files
+# is close to debian-installer so adding this simple script is not
+# that big of a violation. Following lines do not need to be in post sarge
+# base-files package.
+# Note: The directory content may have been modified by any user on the system.
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find  $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+        chmod go-w $CDEBCONF
Only in base-files-3.1.9.sarge.mkr1/debian: tmp

Reply to: