[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

502300 is a security bug (SUID permission is 755 instead of 700 during installation)

tags 502300  + security
tags 502300 + patch
tags 398254 - security
thanks

Sorry it was 502300 and not 398254 (lack of coffee)

Le vendredi 2 janvier 2009, Bastien ROUCARIES a écrit :
> tags 398254 + security
> tags 398254 + patch
> thanks
> 
> >The postinst of fuse-utils creates the group fuse and sets the
> >permissions of fusermount to root:fuse 4754.  Before that happens,
> >fusermount has the permissions specified in the deb, namely root:root
> >4755.  Thus, during the installation of fuse, any user can mount a
> >FUSE filesystem without needing membership in group fuse.
> 
> I belive it is a security bug, non allowed user could use fuse. 
> Do not raise priority because it will only allow a user to do something mad on his own account, and race windows is tiny.
> 
> Patch is simple please apply (NMU candidate?)
> 
> Regards
> 
> Bastien



-- 

"ROUCARIÈS Bastien"
                                            roucaries.bastien+debian@gmail.com
-------------------------------------------------------------------------------
DO NOT WRITE TO roucaries.bastien+blackhole@gmail.com OR BE BLACKLISTED
Reply to: