[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#617938: marked as done (/etc directories owned by non-root users allow privilege escalation attacks)

Your message dated Fri, 11 Aug 2017 12:44:51 -0700
with message-id <87o9rlx51o.fsf@iris.silentflame.com>
and subject line Closing inactive Policy bugs
has caused the Debian Bug report #617938,
regarding /etc directories owned by non-root users allow privilege escalation attacks
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
617938: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=617938
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: slrn
Version: 1.0.0~pre16-1
Severity: critical

Directories /var/log/news/ and /etc/news/ have weird ownership -
news:news. Some deb scripts use these directories as trusted and write
to files located there, e.g. like this (from slrnpull.postinst):

echo "$RET" > /etc/news/server

These directories must not be writable by non-root as it might
compromise root via specially crafted symlinks/hardlinks/etc. created by
user or group "news".

As these directories are not owned by a single package, but are created
by each package, all packages owning files in these directories might be
vulnerable:

$ apt-file search /etc/news/ | cut -d: -f1 | uniq
ifgate
inn
inn2
inn2-inews
innfeed
leafnode
slrn
slrnpull
uucpsend

If I should report this bug another way as it affects multiple packages,
please tell me how I should do it.

Reference: https://bugs.launchpad.net/ubuntu/+source/slrn/+bug/731547


Thanks,

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments

--- End Message ---
--- Begin Message --- 
control: user debian-policy@packages.debian.org
control: usertag -1 +obsolete
control: tag -1 +wontfix

Russ Allbery and I did a round of in-person bug triage at DebConf17 and
we are closing this bug as inactive.

The reasons for closing fall into the following categories, from most
frequent to least frequent:

- issue is appropriate for Policy, there is a consensus on how to fix
  the problem, but preparing the patch is very time-consuming and no-one
  has volunteered to do it, and we do not judge the issue to be
  important enough to keep an open bug around;

- issue is appropriate for Policy but there does not yet exist a
  consensus on what should change, and no recent discussion.  A fresh
  discussion might allow us to reach consensus, and the messages in the
  old bug are unlikely to help very much; or

- issue is not appropriate for Policy.

If you feel this bug is still relevant and want to restart the
discussion, you can re-open the bug.  However, please consider instead
opening a new bug with a message that summarises and condenses the
previous discussion, updates the report for the current state of Debian,
and makes clear exactly what you think should change.

A lot of these old bugs have long side tangents and numerous messages,
and that old discussion is not necessarily helpful for figuring out what
Debian Policy should say today.

-- 
Sean Whitton

Attachment: signature.asc
Description: PGP signature


--- End Message ---
Reply to: