Debian Bug report logs - #308897
backup-manager: insecure default configuration

version graph

Package: backup-manager; Maintainer for backup-manager is Sven Joachim <svenjoac@gmx.de>; Source for backup-manager is src:backup-manager.

Reported by: jtv@thaiopensource.org (Jeroen Vermeulen)

Date: Fri, 13 May 2005 05:18:03 UTC

Severity: critical

Tags: fixed, patch, sarge, security

Found in version 0.5.7-1

Done: Alexis Sukrieh <sukria@sukria.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to jtv@thaiopensource.org (Jeroen Vermeulen):
New Bug report received and forwarded. Copy sent to Alexis Sukrieh <sukria@sukria.net>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: jtv@thaiopensource.org (Jeroen Vermeulen)
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: backup-manager: secure repository
Date: Fri, 13 May 2005 12:04:50 +0700
Package: backup-manager
Version: 0.5.7-1
Severity: wishlist


Creating a world-readable repository would be a serious security breach.
I may be mistaken, but AFAICS the installation script fails to check
this or warn about it.  It doesn't enforce it in any case; I just
realized I had a world-readable repository in a working setup.

Are there any steps that can be taken to encourage secure configuration,
e.g. creating the repository at installation time with root-only access
rights, or chmod'ing it if it already exists?  Or alternatively, create
the backups with root-only access rights and/or encrypt them.

-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-686-smp
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages backup-manager depends on:
ii  debconf                       1.4.30.13  Debian configuration
management sy
ii  gzip                          1.3.5-9    The GNU compression utility

-- debconf information excluded

--D8DB857414F.1115959689/localhost.localdomain--




Information forwarded to debian-bugs-dist@lists.debian.org, Alexis Sukrieh <sukria@sukria.net>:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Paul Brossier <piem@altern.org>:
Extra info received and forwarded to list. Copy sent to Alexis Sukrieh <sukria@sukria.net>. Full text and rfc822 format available.

Message #10 received at 308897@bugs.debian.org (full text, mbox):

From: Paul Brossier <piem@altern.org>
To: Bug Tracking System Commands <control@bugs.debian.org>, 308897@bugs.debian.org
Subject: backup-manager: insecure default configuration
Date: Mon, 6 Jun 2005 20:27:24 +0100
severity 308897 critical 
tags 308897 security
thanks

please correct me if this is over inflated severity. justification:
introduces a security hole on systems where you install the packages

in its default configuration, backup-manager stores a .tar.gz of /etc in
/var/backups. this file is world readable, so that any local user is
able to read /etc/shadow, /etc/ppp/chap-scripts and other interesting
bits from it.

a solution to this problem is to have backup-manager create files with
perms 0700.

ciao, paul



Severity set to `critical'. Request was from Paul Brossier <piem@altern.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: security Request was from Paul Brossier <piem@altern.org> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Paul Brossier <piem@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #21 received at 308897@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: Paul Brossier <piem@altern.org>, 308897@bugs.debian.org
Subject: Re: Bug#308897: backup-manager: insecure default configuration
Date: Tue, 7 Jun 2005 13:39:35 +0200
tags 308897 + pending
thanks

* Paul Brossier (piem@altern.org) disait :
> please correct me if this is over inflated severity. justification:
> introduces a security hole on systems where you install the packages
> 
> in its default configuration, backup-manager stores a .tar.gz of /etc in
> /var/backups. this file is world readable, so that any local user is
> able to read /etc/shadow, /etc/ppp/chap-scripts and other interesting
> bits from it.

You're absolutely right.
This bug is closed in the upcoming new upstream version 0.5.8

I'll ask my sponsor to upload the new package as soon as the upstream
release is ready.

> a solution to this problem is to have backup-manager create files with
> perms 0700.

I chose the solution to add two new configuration keys: BM_USER and BM_GROUP.
The archives repository will be chowned to $BM_USER:$BM_GROUP and will be 
chmoded 660

-- 
                                  Alexis Sukrieh <sukria@sukria.net>
                                               http://www.sukria.net

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.



Tags added: pending Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alexis Sukrieh <sukria@sukria.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to jtv@thaiopensource.org (Jeroen Vermeulen):
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 308897-close@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897-close@bugs.debian.org
Subject: Bug#308897: fixed in backup-manager 0.5.8-1
Date: Mon, 20 Jun 2005 18:17:16 -0400
Source: backup-manager
Source-Version: 0.5.8-1

We believe that the bug you reported is fixed in the latest version of
backup-manager, which is due to be installed in the Debian FTP archive:

backup-manager_0.5.8-1.diff.gz
  to pool/main/b/backup-manager/backup-manager_0.5.8-1.diff.gz
backup-manager_0.5.8-1.dsc
  to pool/main/b/backup-manager/backup-manager_0.5.8-1.dsc
backup-manager_0.5.8-1_all.deb
  to pool/main/b/backup-manager/backup-manager_0.5.8-1_all.deb
backup-manager_0.5.8.orig.tar.gz
  to pool/main/b/backup-manager/backup-manager_0.5.8.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 308897@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexis Sukrieh <sukria@sukria.net> (supplier of updated backup-manager package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue,  7 Jun 2005 17:09:29 +0200
Source: backup-manager
Binary: backup-manager
Architecture: source all
Version: 0.5.8-1
Distribution: unstable
Urgency: low
Maintainer: Alexis Sukrieh <sukria@sukria.net>
Changed-By: Alexis Sukrieh <sukria@sukria.net>
Description: 
 backup-manager - command-line backup tool
Closes: 300801 308896 308897 308950 310890 311083
Changes: 
 backup-manager (0.5.8-1) unstable; urgency=low
 .
   * New upstream release.
     (closes: #308896, #300801, #311083, #308897)
   * postinst uses ucf for moving its conffiles.
   * postrm purges the ucf entry.
   * now depends on ucf >= 0.08
   * New pt_BT.po file for a better Brazilian Portuguese translation
     (thanks to Andre Luis Lopes)
     (closes: #310890)
   * Add vi.po for the Vietnamese translation (thanks to Clytie Siddall).
     (closes: #308950)
Files: 
 6dbcdfbecbe599e5bb05e413aa8e9005 619 admin optional backup-manager_0.5.8-1.dsc
 d6a1a7a61e3c966334faa7a867894302 37603 admin optional backup-manager_0.5.8.orig.tar.gz
 38877cf21b425e69ef2a47f2ab2959a2 30686 admin optional backup-manager_0.5.8-1.diff.gz
 0d84c168203a91eb577cf284765b207f 50436 admin optional backup-manager_0.5.8-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCtdGVhYgK5b1UDsERAlIgAJ9/X0V2FQsMbsEa4d48+N60YZXRAgCeNhJJ
M67CfycmHg5ZNGo18QLcfks=
=mRVk
-----END PGP SIGNATURE-----




Bug reopened, originator not changed. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Merged 308897 315582. Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Disconnected #315582 from all other report(s). Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #39 received at 308897@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org
Cc: Esteban Manchado Velázquez <zoso@demiurgo.org>, Alexis Sukrieh <sukria@sukria.net>, jtv@thaiopensource.org, Paul Brossier <piem@altern.org>, vorlon@debian.org, Sven Joachim <sven_joachim@web.de>
Subject: backup-manager security fixes, pending upload.
Date: Fri, 24 Jun 2005 10:20:48 +0200
tags 315582 + pending
tags 315582 + pending
thanks

Those two security issues are pending upload.

The security team has been contacted for uploading a fixed package to
stable.

Thanks for the report and the patches.

For testers, pending packages are available here:

For sarge:
http://www.sukria.net/debian/binary/backup-manager_0.5.7-2sarge1_all.deb

For sid/etch:
http://www.sukria.net/debian/binary/backup-manager_0.5.8-2_all.deb

You'll can find the sources of those packages here:
http://www.sukria.net/debian/source/

Regards.

-- 
                                  Alexis Sukrieh <sukria@sukria.net>
                                               http://www.sukria.net

« Quidquid latine dictum sit, altum sonatur. » 
Whatever is said in Latin sounds profound.



Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #44 received at 308897@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org
Cc: 308897-submitter@bugs.debian.org, 315582-submitter@bugs.debian.org
Subject: Bugs closed in etch and sid
Date: Mon, 11 Jul 2005 14:26:20 +0200
tags 308897 - etch
tags 315582 - etch
thanks

The 0.5.8-2 package is in testing now and closes those bugs.

-- 

 - Alexis Sukrieh 




Tags removed: etch Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to jtv@thaiopensource.org (Jeroen Vermeulen):
Bug#308897. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#308897; Package backup-manager. Full text and rfc822 format available.

Acknowledgement sent to Alexis Sukrieh <sukria@sukria.net>:
Extra info received and forwarded to list. Full text and rfc822 format available.

Message #54 received at 308897@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897@bugs.debian.org, 315582@bugs.debian.org, 308897-submitter@bugs.debian.org, 315582-submitter@bugs.debian.org
Subject: [backup-manager] Pending security upload
Date: Fri, 29 Jul 2005 17:46:46 +0200
tags 308897 + pending
tags 315582 + pending
thanks

This two bugs are fixed in the new pending sarge package (0.5.7-1sarge1), 
which will be uploaded hopefully to the security archive soon.

Regards.

-- 

 - Alexis Sukrieh 




Tags added: pending Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Message sent on to jtv@thaiopensource.org (Jeroen Vermeulen):
Bug#308897. Full text and rfc822 format available.

Tags added: fixed Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Alexis Sukrieh <sukria@sukria.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to jtv@thaiopensource.org (Jeroen Vermeulen):
Bug acknowledged by developer. Full text and rfc822 format available.

Message #66 received at 308897-done@bugs.debian.org (full text, mbox):

From: Alexis Sukrieh <sukria@sukria.net>
To: 308897-done@bugs.debian.org, 315582-done@bugs.debian.org
Subject: bug closed
Date: Wed, 28 Sep 2005 11:04:51 +0200
Those bugs are closed in sarge now, and they are not open in etch and
sid.




Tags added: fixed Request was from Alexis Sukrieh <sukria@sukria.net> to control@bugs.debian.org. Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 22:10:19 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:38:07 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.