--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libutempter0: /usr/lib/utempter/utempter should be world readable
- From: Frank Lin PIAT <fpiat@klabs.be>
- Date: Mon, 08 Mar 2010 10:49:17 +0100
- Message-id: <20100308094917.22538.30866.reportbug@solid.paris.klabs.be>
Package: libutempter0
Version: 1.1.5-2
Severity: normal
Hello,
The wrapper utempter is not world readable:
> % ls -al /usr/lib/utempter/utempter
> -rwx--s--x. 1 root utmp 4940 2009-08-29 13:03 /usr/lib/utempter/utempter
According to Debian policy, executables should be world-readable[1]:
> Setuid and setgid executables should be mode 4755 or 2755 respectively,
> and owned by the appropriate user or group. They should not be made
> unreadable (modes like 4711 or 2711 or even 4111); doing so achieves
> no extra security, because anyone can find the binary in the freely
> available Debian package; it is merely inconvenient.
In my case, I wanted to run debsums (as non root), but it failed with:
> debsums: can't open libutempter0 file /usr/lib/utempter/utempter
> (Permission denied)
The patch is trivial:
==================
--- rules.orig 2010-03-08 10:46:48.000000000 +0100
+++ rules 2010-03-08 10:46:51.000000000 +0100
@@ -5,7 +5,7 @@
override_dh_fixperms:
dh_fixperms
- chmod 2711 debian/libutempter0/usr/lib/utempter/utempter
+ chmod 2755 debian/libutempter0/usr/lib/utempter/utempter
chown root:utmp debian/libutempter0/usr/lib/utempter/utempter
.PHONY: override_dh_auto_test
==================
Franklin
[1] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (101, 'unstable'), (10, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.33-2-686 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libutempter0 depends on:
ii adduser 3.112 add and remove users and groups
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
libutempter0 recommends no packages.
libutempter0 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: libutempter
Source-Version: 1.1.5-3
We believe that the bug you reported is fixed in the latest version of
libutempter, which is due to be installed in the Debian FTP archive:
libutempter-dev_1.1.5-3_amd64.deb
to main/libu/libutempter/libutempter-dev_1.1.5-3_amd64.deb
libutempter0_1.1.5-3_amd64.deb
to main/libu/libutempter/libutempter0_1.1.5-3_amd64.deb
libutempter_1.1.5-3.debian.tar.gz
to main/libu/libutempter/libutempter_1.1.5-3.debian.tar.gz
libutempter_1.1.5-3.dsc
to main/libu/libutempter/libutempter_1.1.5-3.dsc
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 573015@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Fathi Boudra <fabo@debian.org> (supplier of updated libutempter package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 22 Apr 2010 14:19:47 +0300
Source: libutempter
Binary: libutempter-dev libutempter0
Architecture: source amd64
Version: 1.1.5-3
Distribution: unstable
Urgency: low
Maintainer: Debian Krap Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Fathi Boudra <fabo@debian.org>
Description:
libutempter-dev - A privileged helper for utmp/wtmp updates (development)
libutempter0 - A privileged helper for utmp/wtmp updates (runtime)
Closes: 573015
Changes:
libutempter (1.1.5-3) unstable; urgency=low
.
* Switch to dpkg-source 3.0 (quilt) format.
* Update debian/control:
- Bump debhelper build dependency version to 7.4.15.
- Bump Standards-Version to 3.8.3 (no changes needed).
* Update debian/rules:
- Enable parallel build ().
- List missing files ().
- Call chown before chmod.
- Change utempter permissions to world-readable (2755). (Closes: #573015)
* Update debian/libutempter0.lintian-overrides file.
* Add debian/libutempter0.symbols file.
Checksums-Sha1:
6e983363b8484585ae07e16aa7b864cf91f73cc8 1255 libutempter_1.1.5-3.dsc
2b766a179185eb8cd5766f0ca528dcf90f1d45cc 2563 libutempter_1.1.5-3.debian.tar.gz
6f442cec16a5388a5f440e4af0d09ad156ca90d1 4640 libutempter-dev_1.1.5-3_amd64.deb
0678b6d11d0fa4a2be880308979dfccbf6e4aacc 7954 libutempter0_1.1.5-3_amd64.deb
Checksums-Sha256:
f71716dd95e42183561f72f2256a9d71446824ebbff742743c16740d41048a99 1255 libutempter_1.1.5-3.dsc
3fc2915cebd924b671b0b2a1d00ce37ec583717f3763a92506b1938542090723 2563 libutempter_1.1.5-3.debian.tar.gz
8e3fb7e4a0d693758bfc8c160c24f53dca3aa7475f725baa2a4bc11ff13fd09a 4640 libutempter-dev_1.1.5-3_amd64.deb
35ba3147352d8f455aeb86075fa23f9ac09038eb5a833dc648ff23258365132c 7954 libutempter0_1.1.5-3_amd64.deb
Files:
6a9accb90c6c1e467c7e3dfb348e527c 1255 libs optional libutempter_1.1.5-3.dsc
329476af17acbec8837c518b522d1af8 2563 libs optional libutempter_1.1.5-3.debian.tar.gz
e684a143a3dcbe620f74152bd54e25e4 4640 libdevel optional libutempter-dev_1.1.5-3_amd64.deb
1e133db6724866d309d26cd598f960e2 7954 libs optional libutempter0_1.1.5-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iJwEAQECAAYFAkvQOlkACgkQjPU19mqlcvfmpgP+NcmRXe38Z3EgoVC/0sSEL4EP
hZsUePiAlK91hGs6KHKCq4ZNzX0QiRi39tO10ut9Q3Uz8fhYGpRzosD/nmcdwrws
sBYcb/lwPDx/DLDLrdyl80wBu1No6Q5fAl67QQx2fsYDQajr/+SvceTfbkkVnpaz
/i5NN+m0V3vbxWOoS2Q=
=X5nx
-----END PGP SIGNATURE-----
--- End Message ---