Re: Exploit in Upgrade Chain?

["Giacomo A. Catenazzi" <cate@cateee.net>]

Boyd Stephen Smith Jr. wrote:
> On Wednesday 11 February 2009 23:26:45 Stan Katz wrote:
> > I updated/upgraded both my AMD64 and AMD k6 "Etch" machines between Feb
> > 10-11, 2009 using "Lenny" test. Both picked up a symptom I haven't seen
> > since the lpd exploit of the 1990's. This symptom manifests itself as
> > either a random escalation of the etc directory mode up to 600, or a
> > consistent escalation to mode 600 upon reboot.
>
> My /etc is mode 755.  Why would that be a problem?  Some user/programs may 
> need to read data out of the directory and root (the owner of my /etc) 
> certainly needs write permissions.
>
> > I don't remember why the lpd
> > exploit did this. If this is an exploit, it shakes my confidence in debian
> > online updating.
>
> I don't see how a 600 /etc can be exploited.  Do you have any other records 
> that would indicate you are exploited, or is this just fear-mongering?

/etc with 600 is a grave error!
/etc/ must be accessible for the following reasons:
- debian alternatives (and some posix program requires i.e. "editor" command)
- networking: libc need to read some file  (resolver, hostname, ...), and this
  is done in normal user context
- passwd must be public (indirectly required by POSIX)
- etc has configuration of daemon, which could read such configuration
  in different deamon context (not root). This is true especially by
  reloading configuration
- and a lot more reasons.

Some files must be protected, not the entire /etc.

ciao
	cate