[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#299007: base-files: Insecure PATH

In this report, the submitter complains about /usr/local/bin being in
the PATH by default at the same time directories under /usr/local are
root:staff and world-writable. His complain is based on the existence
of become-any-group-but-root bugs.

If this is a bug at all, I think we should probably drop the root:staff
thing instead of changing the default PATH. So: Would anyone here
second the following patch, if it were a policy proposal?

diff -ru debian-policy-3.6.1.1.orig/policy.sgml debian-policy-3.6.1.1/policy.sgml
--- debian-policy-3.6.1.1.orig/policy.sgml	2004-06-25 23:11:36.000000000 +0200
+++ debian-policy-3.6.1.1/policy.sgml	2005-03-11 13:25:27.000000000 +0100
@@ -5062,8 +5062,8 @@
 then
   if mkdir /usr/local/share/emacs 2>/dev/null
   then
-    chown root:staff /usr/local/share/emacs
-    chmod 2775 /usr/local/share/emacs
+    chown root:root /usr/local/share/emacs
+    chmod 755 /usr/local/share/emacs
   fi
 fi
 	    </example>
@@ -5095,8 +5095,8 @@
 	  <p>
 	    The <file>/usr/local</file> directory itself and all the
 	    subdirectories created by the package should (by default) have
-	    permissions 2775 (group-writable and set-group-id) and be
-	    owned by <tt>root.staff</tt>.
+	    permissions 755 and be
+	    owned by <tt>root:root</tt>.
 	  </p>
 	</sect1>
Reply to: