Bug#340981: debian-installer and world writable directories
Martin Schulze wrote:
Joey Hess wrote:
If the security team wants to release an advisory for sarge and include
this update to base-config instead of a manual chmod command, that's
fine. base-config is the owner of record for the log files in sarge,
What would be the proper fix to this? Does only fixing base-config make
the bug go away for both new installations and existing installations?
On my machines base-config seems to be purged, on some others it has
status rc, which is not better either.
Would base-files be a better place for existing installations? It is
Only in base-files-3.1.9.sarge.mkr1: build
diff -ru base-files-3.1.9/debian/changelog base-files-3.1.9.sarge.mkr1/debian/changelog
--- base-files-3.1.9/debian/changelog 2005-09-30 19:52:01.000000000 +0300
+++ base-files-3.1.9.sarge.mkr1/debian/changelog 2005-12-07 15:19:02.244730984 +0200
@@ -1,3 +1,10 @@
+base-files (3.1.9.sarge.mkr1) unstable; urgency=low
+ * Added preinst script to remove /var/log/debian-installer/cdebconf
+ group and other write permissions.
+ -- Mikko Rapeli <email@example.com> Wed, 7 Dec 2005 15:18:42 +0200
base-files (3.1.9) unstable; urgency=low
* The file /etc/inputrc is now handled by readline-common.
Only in base-files-3.1.9.sarge.mkr1/debian: files
Only in base-files-3.1.9.sarge.mkr1/debian: preinst
diff -ru base-files-3.1.9/debian/preinst.in base-files-3.1.9.sarge.mkr1/debian/preinst.in
--- base-files-3.1.9/debian/preinst.in 2001-03-17 20:28:32.000000000 +0200
+++ base-files-3.1.9.sarge.mkr1/debian/preinst.in 2005-12-07 15:18:08.567891104 +0200
@@ -19,3 +19,17 @@
if dpkg --compare-versions "$2" lt-nl "2.2.6"; then
echo "#VERSION#" > /etc/debian_version
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-files
+# is close to debian-installer so adding this simple script is not
+# that big of a violation. Following lines do not need to be in post sarge
+# base-files package.
+# Note: The directory content may have been modified by any user on the system.
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+ chmod go-w $CDEBCONF
Only in base-files-3.1.9.sarge.mkr1/debian: tmp