Bug#299007: marked as done (Transitioning perms of /usr/local)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Thu, 05 Apr 2018 17:20:05 +0000
with message-id <E1f48YP-000456-Cl@fasolo.debian.org>
and subject line Bug#299007: fixed in debian-policy 4.1.4.0
has caused the Debian Bug report #299007,
regarding Transitioning perms of /usr/local
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
299007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=299007
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: base-files: Insecure PATH in /root/.profile
• From: Paul Szabo <psz@maths.usyd.edu.au>
• Date: Fri, 11 Mar 2005 13:44:21 +1100
• Message-id: <200503110244.j2B2iLSd007559@pisa.maths.usyd.edu.au>

Package: base-files
Version: 3.0.2
Severity: critical
Tags: patch security
Justification: root security hole


I recently noticed that /usr/local and /usr/local/{bin,sbin} are
group-writable and owned by root:staff. This is wrong: those directories
are in the default PATH for root. They (and files within) should be
root-owned: group staff users or become-any-user-but-root bugs should not
be able to trojan and thus get root.

The Debian Policy Manual [1] says:

  ... /usr/local take precedence over the equivalents in /usr.
  ... should have permissions 2775 and be owned by root.staff.

but it [2] also says:

  ... make sure that [it] is secure ...
  Files should be owned by root.root ... mode 644 or 755.
  Directories should be mode 755 or 2775 ... owned by the group that needs
  write access to it.

The Debian Reference [3] and Securing Debian Manual [4], [5] say

  [group] staff is ... for helpdesk types or junior sysadmins ... to do
  things in /usr/local and to create directories in /home.

  [group] staff: Allows users to add local modifications to the system
  (/usr/local, /home) without needing root privileges.

  The 'staff' group are usually help-desk/junior sysadmins, allowing them
  to work in /usr/local and create directories in /home. 

(This is surely wrong, seems a SysV left-over: you need root privileges to
chown user directories in /home or in fact to create users in /etc/passwd.)

"Junior sysadmins" should not be able or encouraged to trojan root, even if
you trust them with the root password or give them sudo privileges.

Become-any-user-but-root and become-any-group-but-root bugs are quite
common. When a group of machines share user home directories via NFS
exported from somewhere with default root-squash, getting root on one
machine gives precisely that on all others of the group. There have been
"genuine" such bugs also e.g. in sendmail [6].

This security lapse has been discussed before [7], [8].

The solution is to remove /usr/local things from the default PATH in
/root/.profile (i.e. in /usr/share/base-files/dot.profile), leaving a
warning comment instead.

It would also be good to re-word the confused policy, and to make
/usr/local root-owned. (Maybe /usr/local/sbin could then be used again.)
Discuss on debian-policy@lists.debian.org, or "reportbug debian-policy"?

References:

[1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2
[2] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9
[3] http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s9.2.3
[4] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.1
[5] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.2
[6] http://hackersplayground.org/papers/sendmailholes.txt
[7] http://lists.debian.org/debian-doc/2001/08/msg00041.html
[8] http://lists.debian.org/debian-user/2003/12/msg02057.html

Cheers,

Paul Szabo   psz@maths.usyd.edu.au   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia


-- System Information
Debian Release: 3.0
Architecture: i386
Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686
Locale: LANG=C, LC_CTYPE=C

Versions of packages base-files depends on:
ii  base-passwd                   3.4.1      Debian Base System Password/Group 
ii  gawk [awk]                    1:3.1.0-3  GNU awk, a pattern scanning and pr
ii  mawk [awk]                    1.3.3-8    a pattern scanning and text proces

--- End Message ---

--- Begin Message ---

• To: 299007-close@bugs.debian.org
• Subject: Bug#299007: fixed in debian-policy 4.1.4.0
• From: Sean Whitton <spwhitton@spwhitton.name>
• Date: Thu, 05 Apr 2018 17:20:05 +0000
• Message-id: <E1f48YP-000456-Cl@fasolo.debian.org>

Source: debian-policy
Source-Version: 4.1.4.0

We believe that the bug you reported is fixed in the latest version of
debian-policy, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 299007@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Sean Whitton <spwhitton@spwhitton.name> (supplier of updated debian-policy package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 05 Apr 2018 09:08:16 -0700
Source: debian-policy
Binary: debian-policy
Architecture: all source
Version: 4.1.4.0
Distribution: unstable
Urgency: medium
Maintainer: Debian Policy Editors <debian-policy@lists.debian.org>
Changed-By: Sean Whitton <spwhitton@spwhitton.name>
Closes: 299007 515856 742364 881431 886890 888437 889167 889960 892142
Description: 
 debian-policy - Debian Policy Manual and related documents
Changes:
 debian-policy (4.1.4.0) unstable; urgency=medium
 .
   [ Sean Whitton ]
   * Policy: Drop get-orig-source rules target
     Wording: Helmut Grohne <helmut@subdivi.de>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Seconded: Niels Thykier <niels@thykier.net>
     Closes: #515856
   * Policy: Update required permissions for /usr/local
     Wording: Santiago Vila <sanvila@unex.es>
     Seconded: Don Armstrong <don@debian.org>
     Seconded: Ian Jackson <ijackson@chiark.greenend.org.uk>
     Seconded: Russ Allbery <rra@debian.org>
     Closes: #299007
   * Policy: Document debian/missing-sources
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Seconded: Gunnar Wolf <gwolf@debian.org>
     Closes: #742364
   * Policy: Uniqueness of version numbers
     Wording: Sean Whitton <spwhitton@spwhitton.name>
     Seconded: Simon McVittie <smcv@debian.org>
     Seconded: Holger Levsen <holger@layer-acht.org>
     Closes: #881431
   * Update recommendations dh_systemd_* -> dh_installsystemd (Closes: #889167).
     Thanks Chris Lamb for the report.
   * Fix some typos (Closes: #886890).
     Thanks Sebastian Rasmussen for the patch.
   * Fix some errors in shell script snippets caused by the rST conversion
     script (Closes: #888437).
     Thanks Yao Wei for the patch.
   * Fix version of init-system-helpers required for `defaults-disabled`
     option from 1.5.0 to 1.50.
     Thanks to GengYu Rao for noting this on the debian-policy list.
   * Fix indentation of description of the clean target (Closes: #889960).
     Thanks Ferenc Wágner for the report.
 .
   [ Jonathan Nieder ]
   * Use default-mta instead of exim in dependency example (Closes: #892142).
     Thanks to Paul Wise for the report.
Checksums-Sha1: 
 ef1dc5fd8a3ceb38c8deace04558c671bea95f25 2001 debian-policy_4.1.4.0.dsc
 a1e805333f756765570c27ff89a4fdd7eaf05363 677108 debian-policy_4.1.4.0.tar.xz
 56dcdb6f05815c3456b56e10c519a3db18ee5992 2387292 debian-policy_4.1.4.0_all.deb
 56d2b860d72ff9de0ac7ca37e84db816bf8e2d76 12126 debian-policy_4.1.4.0_amd64.buildinfo
Checksums-Sha256: 
 53b8f08ffbf1689ab2e97bb3b1586df0a4d4d8a480b9c4ba1de798b7257bf8fe 2001 debian-policy_4.1.4.0.dsc
 023608b73abeb2d75c9dc64ce58761b5da30a7017f6db5f01a573f33e2e3a7c3 677108 debian-policy_4.1.4.0.tar.xz
 6e9005245aee6e8c51f8c85a4c035e382e0861415459eae0263b41014818a0d8 2387292 debian-policy_4.1.4.0_all.deb
 1818cd12a58b0770e0d9b75561779325b74841e4b2af5727ff7aca9694c8727f 12126 debian-policy_4.1.4.0_amd64.buildinfo
Files: 
 a8bb9047202d77c74e5b4bd30a160f4e 2001 doc optional debian-policy_4.1.4.0.dsc
 8a80b4e16c6c15e4d1c5dfd645bc2d57 677108 doc optional debian-policy_4.1.4.0.tar.xz
 9537b38c53706d8d59f771f720a3f406 2387292 doc optional debian-policy_4.1.4.0_all.deb
 e2982e5cb7400de55a59cb24e5b1dfb7 12126 doc optional debian-policy_4.1.4.0_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAlrGSuYACgkQaVt65L8G
YkCxZA/+Ptlcjykqq2YXiEUw1MLJl37L2hUf8elybjCmDQtyjjYdHGQxw092Af6P
R/jT3QTHt07Fd/Ch8PjIM2e3TYtNakhUFX4MG4edmXvCj/teXnv3FL+YFdm1swoG
jTwEeuirJCHosTZ7OCsCuWNDMw/a16sy32qTbfilm5NWLHvYYqzvjPyg4w08UEdS
hpMhAW9T4k5zyvrOPwmjqFrAAhCpsK55uorTIOnBZ08hTXGEydXpdOtdnzUToFC+
7L+wVIojR9Iu1/IMkobLKD7fAIlCXpCPy0zI80xaTZTa+NK500rVyjsKqM4E9Pil
b7N228E7UCVX0ZD15c4ZRGK/3/vyvmef0faqKRiSttXq6k1MmmNcGNBBRUnxlWK9
MZH6fDmJ0cqgXE+6HkzC8M/x6yNvFYtEiH9klZvNK/Q8cRICu9Uc1uIRj9UfXgU2
/wI8IfHZ9zDUORLPFNMyOozNiPOMjJP9KAtCATzViddPlM/d0HlwX5j/nvLPO97/
YpE6hpWwukv7i8bT5c4WdTCoAYAlaVWcyaf4bA/fUn9LOSx5VClY1leiQLWfXauz
BXJcCNLcnNzyprGGQ5YCj4qG5Sfw/8P+S9fW9zj0ErfylX1mZo4kE863L1FlW7Zu
IRtIy+lYd9rfGLo6WdfhczHUBUpzCw9A0idQ1rYZZ/Rwju/Ds7g=
=TMzb
-----END PGP SIGNATURE-----

--- End Message ---