[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

FWD: ugh, ugh. Needs to provide /etc/suid.conf and /usr/sbin/suidregister

I really wish I hadn't just discovered this problem today. Anyhow, if
you have a package that has a suidregister call like this in its
postinst, *please* convert to using statoverride ASAP.

----- Forwarded message from Joey Hess <joeyh@debian.org> -----

From: Joey Hess <joeyh@debian.org>
Date: Sun, 04 Feb 2001 14:32:29 -0800
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: ugh, ugh. Needs to provide /etc/suid.conf and /usr/sbin/suidregister
X-Mailer: reportbug 1.11

Package: suidmanager
Version: 0.50
Severity: important

We forgot something in the suidmanager -> statoverride transition.
Existing packages will have code like this in them:

if [ -e /etc/suid.conf -a -x /usr/sbin/suidregister ]
    suidregister -s apache-common /usr/bin/htpasswd root root 755
    suidregister -s apache-common /usr/lib/apache/suexec root root 4755
    chown root.root /usr/lib/apache/suexec
    chmod 4755 /usr/lib/apache/suexec

So if suidmanager is upgraded first and then a new version of such a package
is upgraded to, the result is that the second branch of the if is run, and
any overriding of the permissions they may have done by either suidmanager
or statoverride, will be reset to default. I'm ashamed I didn't think of this
problem earlier.

The fix should be two-pronged. First, this package should include an empty
/etc/suid.conf (touch it in the postinst, it shouldn't be a conffile), and
a /usr/sbin/suidregister that does nothing. Second all packages in unstable
should be converted ASAP to not include that code. The second is coming along
fairly well, but we need the first to be done now.

-- System Information
Debian Release: testing/unstable
Architecture: i386
Kernel: Linux kite 2.4.0 #1 Sat Jan 6 13:16:16 PST 2001 i686

Versions of packages suidmanager depends on:
ii  dpkg                    Package maintenance system for Deb

----- End forwarded message -----

see shy jo

Reply to: