[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

398254 is a security bug (SUID permission is 755 instead of 700 during installation)

tags 398254 + security
tags 398254 + patch
thanks

>The postinst of fuse-utils creates the group fuse and sets the
>permissions of fusermount to root:fuse 4754.  Before that happens,
>fusermount has the permissions specified in the deb, namely root:root
>4755.  Thus, during the installation of fuse, any user can mount a
>FUSE filesystem without needing membership in group fuse.

I belive it is a security bug, non allowed user could use fuse. 
Do not raise priority because it will only allow a user to do something mad on his own account, and race windows is tiny.

Patch is simple please apply (NMU candidate?)

Regards

Bastien
-- 

"ROUCARIÈS Bastien"
                                            roucaries.bastien+debian@gmail.com
-------------------------------------------------------------------------------
DO NOT WRITE TO roucaries.bastien+blackhole@gmail.com OR BE BLACKLISTED

--- rules.old	2009-01-02 20:41:10.000000000 +0100
+++ rules	2009-01-02 21:26:45.000000000 +0100
@@ -86,7 +86,7 @@
 	dh_shlibdeps -s
 	dh_gencontrol -s
 	dh_md5sums -s
-	chmod 4755 debian/fuse-utils/usr/bin/fusermount
+	chmod 4700 debian/fuse-utils/usr/bin/fusermount
 	dh_builddeb -s
 
 binary-indep:
Reply to: