Bug#299007: base-files: Insecure PATH

[Santiago Vila <sanvila@unex.es>]

On Fri, 11 Mar 2005, Bill Allombert wrote:

> On Fri, Mar 11, 2005 at 01:39:28PM +0100, Santiago Vila wrote:
> > In this report, the submitter complains about /usr/local/bin being in
> > the PATH by default at the same time directories under /usr/local are
> > root:staff and world-writable. His complain is based on the existence
> > of become-any-group-but-root bugs.
> 
> Is there evidence of such bugs ? There is no binaries sgid staff in
> Debian to start with.

You don't need sgid staff binaries. Quoting the submitter:

 Become-any-user-but-root and become-any-group-but-root bugs are quite
 common. When a group of machines share user home directories via NFS
 exported from somewhere with default root-squash, getting root on one
 machine gives precisely that on all others of the group. There have been
 "genuine" such bugs also e.g. in sendmail [6].

The issue here is that "group staff" is equivalent to "user root", and
that we should better eliminate such equivalence from the default system.

> However, I disagree with the attitude of reassigning bug to
> debian-policy. If submitters want to make a policy proposal,
> they can propose it themselves.

Well, you have to be an official developer for that, so that's not
always possible.

In this case, you may consider this as a proposal made by me if you like.

This is not a bug in base-files because policy explicitly *mandates*
the root:staff thing, but as I see fewer and fewer people who find
the root:staff thing useful and more and more people who consider it
a potentially dangerous thing, I think that we would better drop the
staff thing from policy entirely, hence my reassign.