Debian Bug report logs - #304405
geneweb: prerm alters random files on the filesystem

version graph

Package: geneweb; Maintainer for geneweb is Christian Perrier <bubulle@debian.org>; Source for geneweb is src:geneweb.

Reported by: "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>

Date: Tue, 12 Apr 2005 22:03:05 UTC

Severity: grave

Tags: security, woody

Found in version 4.10-6

Fixed in version geneweb/4.10-7

Done: Christian Perrier <bubulle@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Christian Perrier <bubulle@debian.org>:
Bug#304405; Package geneweb. Full text and rfc822 format available.

Acknowledgement sent to "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>:
New Bug report received and forwarded. Copy sent to Christian Perrier <bubulle@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: geneweb: prerm alters random files on the filesystem
Date: Tue, 12 Apr 2005 23:54:18 +0200
Package: geneweb
Version: 4.10-6
Severity: grave


The prerm of geneweb finds files that it thinks are geneweb databases
located everywhere on the system and starts altering them (updating,
moving, etc).

All this unasked for. A maintainer script has no business messing around
with peoples data!

I can see the point in updating the databases in the dir owned by
geneweb (/var/lib/geneweb), but messing around random files on the
filesystem is not something a maintainer script should do. 
I was stupid enough to have a drive mounted r/w with backups on them, which now are also nicely updated...

grts Tim

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.9
Locale: LANG=nl_NL, LC_CTYPE=nl_NL (charmap=UTF-8) (ignored: LC_ALL set to nl_NL.UTF-8)

Versions of packages geneweb depends on:
ii  adduser                     3.63         Add and remove users and groups
ii  debconf                     1.4.30.11    Debian configuration management sy
ii  iso-codes                   0.44-1       ISO language, territory, currency 
ii  libc6                       2.3.2.ds1-20 GNU C Library: Shared libraries an
ii  perl-base [perl5-base]      5.8.4-8.1    The Pathologically Eclectic Rubbis

-- debconf information:
* geneweb/run_mode: Manual
  geneweb/remainingdir:
  geneweb/oldrcfile:
* geneweb/remove_databases: false
* geneweb/port: 2317
  geneweb/remove_etcdirs: false
* geneweb/lang: Dutch



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#304405; Package geneweb. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #10 received at 304405@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: "Tim Dijkstra (tdykstra)" <tim@famdijkstra.org>, 304405@bugs.debian.org
Subject: Re: Bug#304405: geneweb: prerm alters random files on the filesystem
Date: Wed, 13 Apr 2005 07:34:31 +0200
Quoting Tim Dijkstra (tdykstra) (tim@famdijkstra.org):
> Package: geneweb
> Version: 4.10-6
> Severity: grave
> 
> 
> The prerm of geneweb finds files that it thinks are geneweb databases
> located everywhere on the system and starts altering them (updating,
> moving, etc).

updating: no
moving  : no

(unless the script is buggy)

This script tries to find *.gwb files and export them to *.gw
files. This is mostly because, in the past, pre-exporting database
files was the only way to preserve databases when upgrades changed the
database structure. Moreover, the files had to be exported with the
*old* gwu utility, hence the tentative to find all databases around.

> All this unasked for. A maintainer script has no business messing around
> with peoples data!

It does not. It *adds* a xxx.update.gw file along with the found
xxx.gwb file. It tries to give this file the same owner/group than the
former file, and chmod it to preserve privacy.

> 
> I can see the point in updating the databases in the dir owned by
> geneweb (/var/lib/geneweb), but messing around random files on the
> filesystem is not something a maintainer script should do. 
> I was stupid enough to have a drive mounted r/w with backups on them, which now are also nicely updated...


geneweb does not change *.gwb files

So, I understand you may object to this piece of code because, yes, it
deals with users files and is likely to write on places where user
data are. So, for that reason, I may consider commenting the relevant
code because it may be easily interpreted as non policy compliant.

(and indeed the bug severity should then be "serious"...the package
does not lose data unless you prove me wrong)

But I would do so only for that reason....not because geneweb changes
user data which it does not.

Of course, tagging the bug grave while we are so close of a release is
a way to force me taking the only measure I can safely take here :
comment out the code which EXPORTS user data. Because this is the only
safe solution I have, indeed.






Information forwarded to debian-bugs-dist@lists.debian.org, Christian Perrier <bubulle@debian.org>:
Bug#304405; Package geneweb. Full text and rfc822 format available.

Acknowledgement sent to Tim Dijkstra <tim@famdijkstra.org>:
Extra info received and forwarded to list. Copy sent to Christian Perrier <bubulle@debian.org>. Full text and rfc822 format available.

Message #15 received at 304405@bugs.debian.org (full text, mbox):

From: Tim Dijkstra <tim@famdijkstra.org>
To: Christian Perrier <bubulle@debian.org>
Cc: 304405@bugs.debian.org
Subject: Re: Bug#304405: geneweb: prerm alters random files on the filesystem
Date: Wed, 13 Apr 2005 15:26:27 +0200
On Wed, 13 Apr 2005 07:34:31 +0200
Christian Perrier <bubulle@debian.org> wrote:

> Quoting Tim Dijkstra (tdykstra) (tim@famdijkstra.org):
> 
> > All this unasked for. A maintainer script has no business messing
> > around with peoples data!
> 
> It does not. It *adds* a xxx.update.gw file along with the found
> xxx.gwb file. It tries to give this file the same owner/group than the
> former file, and chmod it to preserve privacy.
> 
> > 
> > I can see the point in updating the databases in the dir owned by
> > geneweb (/var/lib/geneweb), but messing around random files on the
> > filesystem is not something a maintainer script should do. 
> > I was stupid enough to have a drive mounted r/w with backups on
> > them, which now are also nicely updated...
>
> geneweb does not change *.gwb files

Ah, sorry. I read the code wrongly, and misinterpreted the modification
time of the files, which was what I checked. But still...

> So, I understand you may object to this piece of code because, yes, it
> deals with users files and is likely to write on places where user
> data are. So, for that reason, I may consider commenting the relevant
> code because it may be easily interpreted as non policy compliant.

I agree to this, a maintainer-script shouldn't just write on random
places on the filesystem. 
For instance, looking a bit better at the code, I think it has a serious
security problem. What if a malicious would do the following:

touch mydata.gwb
ln -s /sbin/init mydata.update.gw


> Of course, tagging the bug grave while we are so close of a release is
> a way to force me taking the only measure I can safely take here :
> comment out the code which EXPORTS user data. Because this is the only
> safe solution I have, indeed.

Don't take it personally, I was just pissed some maintainer script was
writing to my precious backups...

Maybe an alternative to removing the code entirely is to drop the
converted files in a dir under /var/backup and tell the admin it can
find updated files there. You should do some careful temporary file
creation there.

grts Tim




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#304405; Package geneweb. Full text and rfc822 format available.

Acknowledgement sent to Christian Perrier <bubulle@debian.org>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #20 received at 304405@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: Tim Dijkstra <tim@famdijkstra.org>
Cc: 304405@bugs.debian.org
Subject: Re: Bug#304405: geneweb: prerm alters random files on the filesystem
Date: Wed, 13 Apr 2005 15:39:59 +0200
> I agree to this, a maintainer-script shouldn't just write on random
> places on the filesystem. 
> For instance, looking a bit better at the code, I think it has a serious
> security problem. What if a malicious would do the following:
> 
> touch mydata.gwb
> ln -s /sbin/init mydata.update.gw


Hmmm, right. The code should at least check for an existing .gw file,
do nothing but issue a warning if it exists (link or not).

> Don't take it personally, I was just pissed some maintainer script was
> writing to my precious backups...
> 
> Maybe an alternative to removing the code entirely is to drop the
> converted files in a dir under /var/backup and tell the admin it can
> find updated files there. You should do some careful temporary file
> creation there.

Yes, this needs to be re-examined post-sarge.

At this moment, I'm left with the problem and I think that I will take
the safe path and just comment out the export functions, even the one
which exports files in the common path.

It is way too late for risky changes, so I think the safest solution
is just disabling this whole part of the prerm scripts.

If a structure change happens in the sarge->etch development phase, I
will probably deal with the problem in the preinst phase (by issuing a
debconf warning and allow users to stop the upgrade process so that
they have an opportunity to first export their data files).


Thanks for reporting...even if this first made me a little bit sick, I
must admit..:-). You were certainly right and that part of the
maintainers scripts is indeed not the one I'm very proud of...







Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #25 received at 304405-close@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 304405-close@bugs.debian.org
Subject: Bug#304405: fixed in geneweb 4.10-7
Date: Wed, 13 Apr 2005 11:17:19 -0400
Source: geneweb
Source-Version: 4.10-7

We believe that the bug you reported is fixed in the latest version of
geneweb, which is due to be installed in the Debian FTP archive:

geneweb_4.10-7.diff.gz
  to pool/main/g/geneweb/geneweb_4.10-7.diff.gz
geneweb_4.10-7.dsc
  to pool/main/g/geneweb/geneweb_4.10-7.dsc
geneweb_4.10-7_i386.deb
  to pool/main/g/geneweb/geneweb_4.10-7_i386.deb
gwtp_4.10-7_i386.deb
  to pool/main/g/geneweb/gwtp_4.10-7_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 304405@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Christian Perrier <bubulle@debian.org> (supplier of updated geneweb package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 13 Apr 2005 07:28:16 +0200
Source: geneweb
Binary: geneweb gwtp
Architecture: source i386
Version: 4.10-7
Distribution: unstable
Urgency: high
Maintainer: Christian Perrier <bubulle@debian.org>
Changed-By: Christian Perrier <bubulle@debian.org>
Description: 
 geneweb    - Genealogy Software with Web Interface
 gwtp       - Web interface for interacting with Geneweb databases
Closes: 304405
Changes: 
 geneweb (4.10-7) unstable; urgency=high
 .
   * Urgency set to high because fixing RC bug
   * Comment the code which exports databases. It has never proven
     to be really useful and has potential nasty consequences
     Closes: #304405
Files: 
 b53dc63986b1ae65b5588c4e13ee68bd 668 misc optional geneweb_4.10-7.dsc
 c641ef86a81909174a11034e1e48b266 121490 misc optional geneweb_4.10-7.diff.gz
 afa0d559032ca9734b6caf671653a30d 1996884 misc optional geneweb_4.10-7_i386.deb
 e16168e30bed2298fc3fc467515aff2d 181136 misc optional gwtp_4.10-7_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCXS201OXtrMAUPS0RAsW2AJ9KZQ07drPeQdXPI669Fq4n+Ujr8ACeKJOM
gsriSjPCnBYTuO4yRbk8c20=
=DJtV
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security, woody Request was from Christian Perrier <bubulle@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Christian Perrier <bubulle@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to "Tim Dijkstra \(tdykstra\)" <tim@famdijkstra.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #34 received at 304405-done@bugs.debian.org (full text, mbox):

From: Christian Perrier <bubulle@debian.org>
To: 304405-done@bugs.debian.org, 172195-done@bugs.debian.org, 173706-done@bugs.debian.org
Subject: Closing woody bugs
Date: Mon, 6 Jun 2005 17:49:02 +0200
The release of sarge is on itw way. The bugs mentioned in the To:
header have been reported only on woody versions of the geneweb
package.

Please report them again if you're experiencing them in sarge.


-- 





Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 04:09:05 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.