Bug#449573: marked as done (sources.list not owned by root)

To: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>
Subject: Bug#449573: marked as done (sources.list not owned by root)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Thu, 06 Nov 2008 16:36:04 +0000
Message-id: <[🔎] handler.449573.D449573.12259891551958.ackdone@bugs.debian.org>
References: <49131D3A.7060905@gmail.com> <871wb3gtuq.fsf@jidanni.org>

Your message dated Thu, 06 Nov 2008 18:37:14 +0200
with message-id <49131D3A.7060905@gmail.com>
and subject line closing #449573
has caused the Debian Bug report #449573,
regarding sources.list not owned by root
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
449573: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449573
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: sources.list not owned by root
From: jidanni@jidanni.org
Date: Wed, 07 Nov 2007 01:35:25 +0800
Message-id: <871wb3gtuq.fsf@jidanni.org>

X-Debbugs-No-Ack: please
Package: apt
Version: 0.7.9
Severity: wishlist

Poking around /etc/apt with ls -o,
  /etc/apt:
  drwxr-xr-x   2 root     1024 Nov  7 01:11 apt.conf.d
  -rw-------   1 root        0 Jan 23  2007 secring.gpg
  -rw-r--r--   1 jidanni   491 Nov  7 01:25 sources.list
  drwxr-xr-x   2 root     1024 Feb 22  2006 sources.list.d
  -rw-------   1 root     1200 Aug 25 07:14 trustdb.gpg
  -rw-r--r--   1 root    18247 Aug 25 07:14 trusted.gpg
  -rw-r--r--   1 root    18247 Aug 25 07:14 trusted.gpg~
I noticed:
1. Seems I could get away with having sources.list owned by non-root.
   Probably no check is done for files and directories to be sure they
   are owned by root before reading... or maybe who cares.
2. trusted.gpg and backups are world readable.

I'm not sure if these are security concerns.

--- End Message ---

--- Begin Message ---

To: 449573-done@bugs.debian.org

Subject: closing #449573

From: "Eugene V. Lyubimkin" <jackyf.devel@gmail.com>

Date: Thu, 06 Nov 2008 18:37:14 +0200

Message-id: <49131D3A.7060905@gmail.com>
Hi Jidanni!

>Seems I could get away with having sources.list owned by non-root.
>Probably no check is done for files and directories to be sure they
>are owned by root before reading... or maybe who cares.
Why this check is needed? Root usually can read all files. And it seems that
you set 'jidanni' as owner by youself. Again, this is not apt's problem.

>trusted.gpg and backups are world readable
No security concerns as they are not private keys or similar, only signs.

Closing this bug by now. If you can reproduce changing the permissions by apt
- reopen it (bug).

-- 
Eugene V. Lyubimkin aka JackYF
Attachment: signature.asc
Description: OpenPGP digital signature

--- End Message ---

Reply to:

Prev by Date: Bug#469188: marked as done (/usr/bin/apt-get: sources.list full mess)
Next by Date: Bug#416788: marked as done (add a sneakernet source type)
Previous by thread: Bug#469188: marked as done (/usr/bin/apt-get: sources.list full mess)
Next by thread: Bug#416788: marked as done (add a sneakernet source type)
Index(es):
- Date
- Thread