Bug#286379: Lintian insecure removal bug (#286379)

To: 286379@bugs.debian.org, Javier Fernández-Sanguino Peña <jfs@computer.org>
Cc: Martin Schulze <joey@infodrom.org>, team@security.debian.org
Subject: Bug#286379: Lintian insecure removal bug (#286379)
From: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>
Date: Thu, 14 Dec 2006 12:55:52 +0100
Message-id: <[🔎] 20061214115552.GA18918@foo.wolffelaar.nl>
Reply-to: Jeroen van Wolffelaar <jeroen@wolffelaar.nl>, 286379@bugs.debian.org
In-reply-to: <20041221143454.GX18313@A-Eskwadraat.nl>
References: <20041220193126.GF380@A-Eskwadraat.nl> <20041220194353.GB7329@finlandia.infodrom.north.de> <20041220195701.GT18313@A-Eskwadraat.nl> <20041221043929.GD7329@finlandia.infodrom.north.de> <20041221121603.GH380@A-Eskwadraat.nl> <20041221142612.GU7329@finlandia.infodrom.north.de> <20041221143454.GX18313@A-Eskwadraat.nl>

No reply to this in nearly 2 years. My opinion didn't change, IMHO it
is user-requested behaviour to get things writable by group is you set
umask to 02 -- that's what umask *does*.

If anybody disagrees, you can do either of these three:
1) convince the security team to rule that this is indeed a security bug
and behaviour must be changed
2) convince lintian maintainers likewise. Nobody so far disagreed
here in this buglog or tended to this bugreport, so I assume the team
agrees with me here: you'd most likely need new argumentation for that
3) Appeal to tech-ctte if the above fails

Otherwise, I'll close this bugreport by the end of the year.

--Jeroen

On Tue, Dec 21, 2004 at 03:34:54PM +0100, Jeroen van Wolffelaar wrote:
> On Tue, Dec 21, 2004 at 03:26:12PM +0100, Martin Schulze wrote:
> > I haven't verified that this code is executed for each lintian execution.
> > However, if it is, then its an issue since the process does not fail if
> > mkdir fails, instead the directory is used.
> 
> This is simply not true, see [1]. This code is executed every lintian
> invocation, but a failing mkdir _will_ abort lintian.
> 
> The current discussion is about whether or not it is okay for lintian to
> use a directory made with current umask, since for example an umask of
> 02 would render you vulnerable to attacks by members of the same
> group[2].
> 
> In my opinion, this is a user-error having 02 umask with
> untrusted members of the same group[3], but the bug submitter
> disagrees[4].
> 
> Sorry for the mess that this buglog is, at the moment...
> 
> --Jeroen
> 
> [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=12
> [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=24
> [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=27
> [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=36
> 
> -- 
> Jeroen van Wolffelaar
> Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
> http://Jeroen.A-Eskwadraat.nl
> 
> 

-- 
Jeroen van Wolffelaar
Jeroen@wolffelaar.nl (also for Jabber & MSN; ICQ: 33944357)
http://Jeroen.A-Eskwadraat.nl

Reply to:

Follow-Ups:
- Bug#286379: Lintian insecure removal bug (#286379)
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Doo waant discriminate virginn Eighteen?
Next by Date: Bug#286379: Lintian insecure removal bug (#286379)
Previous by thread: Doo waant discriminate virginn Eighteen?
Next by thread: Bug#286379: Lintian insecure removal bug (#286379)
Index(es):
- Date
- Thread