Bug#340981: debian-installer and world writable directories

To: Martin Schulze <joey@infodrom.org>, 340981@bugs.debian.org
Cc: Joey Hess <joeyh@debian.org>, team@security.debian.org
Subject: Bug#340981: debian-installer and world writable directories
From: Mikko Rapeli <mikko.rapeli@vtt.fi>
Date: Wed, 07 Dec 2005 15:38:47 +0200
Message-id: <[🔎] 4396E5E7.3020905@vtt.fi>
Reply-to: Mikko Rapeli <mikko.rapeli@vtt.fi>, 340981@bugs.debian.org
In-reply-to: <20051130194904.GN16502@finlandia.infodrom.north.de>
References: <4389D098.7020003@vtt.fi> <20051128224052.GE14159@kitenet.net> <438C0A5D.5000904@vtt.fi> <20051129183836.GB31521@kitenet.net> <438DCB1D.9000900@vtt.fi> <20051130165733.GB5526@kitenet.net> <20051130194904.GN16502@finlandia.infodrom.north.de>

Martin Schulze wrote:

Joey Hess wrote:

If the security team wants to release an advisory for sarge and include
this update to base-config instead of a manual chmod command, that's
fine. base-config is the owner of record for the log files in sarge,
after all.


What would be the proper fix to this?  Does only fixing base-config make
the bug go away for both new installations and existing installations?
On my machines base-config seems to be purged, on some others it has
status rc, which is not better either.

Would base-files be a better place for existing installations? It ismarked essential.


-Mikko

Only in base-files-3.1.9.sarge.mkr1: build
diff -ru base-files-3.1.9/debian/changelog base-files-3.1.9.sarge.mkr1/debian/changelog
--- base-files-3.1.9/debian/changelog	2005-09-30 19:52:01.000000000 +0300
+++ base-files-3.1.9.sarge.mkr1/debian/changelog	2005-12-07 15:19:02.244730984 +0200
@@ -1,3 +1,10 @@
+base-files (3.1.9.sarge.mkr1) unstable; urgency=low
+
+  * Added preinst script to remove /var/log/debian-installer/cdebconf
+    group and other write permissions.
+
+ -- Mikko Rapeli <mikko.rapeli@vtt.fi>  Wed,  7 Dec 2005 15:18:42 +0200
+
 base-files (3.1.9) unstable; urgency=low
 
   * The file /etc/inputrc is now handled by readline-common.
Only in base-files-3.1.9.sarge.mkr1/debian: files
Only in base-files-3.1.9.sarge.mkr1/debian: preinst
diff -ru base-files-3.1.9/debian/preinst.in base-files-3.1.9.sarge.mkr1/debian/preinst.in
--- base-files-3.1.9/debian/preinst.in	2001-03-17 20:28:32.000000000 +0200
+++ base-files-3.1.9.sarge.mkr1/debian/preinst.in	2005-12-07 15:18:08.567891104 +0200
@@ -19,3 +19,17 @@
 if dpkg --compare-versions "$2" lt-nl "2.2.6"; then
   echo "#VERSION#" > /etc/debian_version
 fi
+
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-files
+# is close to debian-installer so adding this simple script is not
+# that big of a violation. Following lines do not need to be in post sarge
+# base-files package.
+#
+# Note: The directory content may have been modified by any user on the system.
+
+CDEBCONF="/var/log/debian-installer/cdebconf"
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find  $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+        chmod go-w $CDEBCONF
+fi
Only in base-files-3.1.9.sarge.mkr1/debian: tmp

Reply to:

Prev by Date: Bug#342359: installation-reports failure SATA HDD No common CD-ROM drive was detected
Next by Date: Bug#342359: installation-reports failure SATA HDD No common CD-ROM drive was detected
Previous by thread: Re: Bug#342359: installation-reports failure SATA HDD No common CD-ROM drive was detected
Next by thread: Re: Dell Dimension 3100: keyboard freezes
Index(es):
- Date
- Thread