Debian Bug report logs -
#617938
/etc directories owned by non-root users allow privilege escalation attacks
Reported by: Vasiliy Kulikov <segoon@openwall.com>
Date: Sat, 12 Mar 2011 18:27:02 UTC
Severity: normal
Tags: wontfix
Done: Sean Whitton <spwhitton@spwhitton.name>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Jörg Sommer <joerg@alea.gnuu.de>:
Bug#617938; Package slrn.
(Sat, 12 Mar 2011 18:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Vasiliy Kulikov <segoon@openwall.com>:
New Bug report received and forwarded. Copy sent to Jörg Sommer <joerg@alea.gnuu.de>.
(Sat, 12 Mar 2011 18:27:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: slrn
Version: 1.0.0~pre16-1
Severity: critical
Directories /var/log/news/ and /etc/news/ have weird ownership -
news:news. Some deb scripts use these directories as trusted and write
to files located there, e.g. like this (from slrnpull.postinst):
echo "$RET" > /etc/news/server
These directories must not be writable by non-root as it might
compromise root via specially crafted symlinks/hardlinks/etc. created by
user or group "news".
As these directories are not owned by a single package, but are created
by each package, all packages owning files in these directories might be
vulnerable:
$ apt-file search /etc/news/ | cut -d: -f1 | uniq
ifgate
inn
inn2
inn2-inews
innfeed
leafnode
slrn
slrnpull
uucpsend
If I should report this bug another way as it affects multiple packages,
please tell me how I should do it.
Reference: https://bugs.launchpad.net/ubuntu/+source/slrn/+bug/731547
Thanks,
--
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
Information forwarded
to debian-bugs-dist@lists.debian.org, Jörg Sommer <joerg@alea.gnuu.de>:
Bug#617938; Package slrn.
(Sun, 19 Feb 2012 14:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to manuk7 <manuk7@laposte.net>:
Extra info received and forwarded to list. Copy sent to Jörg Sommer <joerg@alea.gnuu.de>.
(Sun, 19 Feb 2012 14:27:03 GMT) (full text, mbox, link).
Message #10 received at 617938@bugs.debian.org (full text, mbox, reply):
Hello,
As mentioned in the Ubuntu bug report, this behavior seems in accordance
with the Debian Policy :
http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html#s12.1.12.1
I'm not really convinced we may considered that as a bug, however it
should be reported to the Debian Policy (i don't know how) rather than
to any package.
I suggest to close this bug.
Message sent on
to Vasiliy Kulikov <segoon@openwall.com>:
Bug#617938.
(Sun, 19 Feb 2012 14:27:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Jörg Sommer <joerg@alea.gnuu.de>:
Bug#617938; Package slrn.
(Wed, 04 Jul 2012 14:48:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jörg Sommer <joerg@alea.gnuu.de>.
(Wed, 04 Jul 2012 14:48:04 GMT) (full text, mbox, link).
Message #18 received at 617938@bugs.debian.org (full text, mbox, reply):
reassign 617938 debian-polic
severity 617938 normal
thanks
On Sat, Mar 12, 2011 at 09:25:58PM +0300, Vasiliy Kulikov wrote:
> Package: slrn
> Version: 1.0.0~pre16-1
> Severity: critical
>
> Directories /var/log/news/ and /etc/news/ have weird ownership -
> news:news. Some deb scripts use these directories as trusted and write
> to files located there, e.g. like this (from slrnpull.postinst):
>
> echo "$RET" > /etc/news/server
>
> These directories must not be writable by non-root as it might
> compromise root via specially crafted symlinks/hardlinks/etc. created by
> user or group "news".
>
> As these directories are not owned by a single package, but are created
> by each package, all packages owning files in these directories might be
> vulnerable:
>
> $ apt-file search /etc/news/ | cut -d: -f1 | uniq
> ifgate
> inn
> inn2
> inn2-inews
> innfeed
> leafnode
> slrn
> slrnpull
> uucpsend
>
> If I should report this bug another way as it affects multiple packages,
> please tell me how I should do it.
This is part of the Debian policy (11.7). I'm reassigning this to
debian-policy.
Cheers,
Moritz
Bug reassigned from package 'slrn' to 'debian-polic'.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 04 Jul 2012 14:48:08 GMT) (full text, mbox, link).
No longer marked as found in versions slrn/1.0.0~pre16-1.
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 04 Jul 2012 14:48:09 GMT) (full text, mbox, link).
Severity set to 'normal' from 'critical'
Request was from Moritz Muehlenhoff <jmm@inutil.org>
to control@bugs.debian.org.
(Wed, 04 Jul 2012 14:48:09 GMT) (full text, mbox, link).
Changed Bug title to '/etc directories owned by non-root users allow privilege escalation attacks' from 'wrong ownership of /var/log/news/ and /etc/news/'
Request was from Russ Allbery <rra@debian.org>
to control@bugs.debian.org.
(Sun, 12 Aug 2012 18:30:08 GMT) (full text, mbox, link).
Reply sent
to Sean Whitton <spwhitton@spwhitton.name>:
You have taken responsibility.
(Fri, 11 Aug 2017 19:58:21 GMT) (full text, mbox, link).
Notification sent
to Vasiliy Kulikov <segoon@openwall.com>:
Bug acknowledged by developer.
(Fri, 11 Aug 2017 19:58:21 GMT) (full text, mbox, link).
Message #33 received at 617938-close@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
control: user debian-policy@packages.debian.org
control: usertag -1 +obsolete
control: tag -1 +wontfix
Russ Allbery and I did a round of in-person bug triage at DebConf17 and
we are closing this bug as inactive.
The reasons for closing fall into the following categories, from most
frequent to least frequent:
- issue is appropriate for Policy, there is a consensus on how to fix
the problem, but preparing the patch is very time-consuming and no-one
has volunteered to do it, and we do not judge the issue to be
important enough to keep an open bug around;
- issue is appropriate for Policy but there does not yet exist a
consensus on what should change, and no recent discussion. A fresh
discussion might allow us to reach consensus, and the messages in the
old bug are unlikely to help very much; or
- issue is not appropriate for Policy.
If you feel this bug is still relevant and want to restart the
discussion, you can re-open the bug. However, please consider instead
opening a new bug with a message that summarises and condenses the
previous discussion, updates the report for the current state of Debian,
and makes clear exactly what you think should change.
A lot of these old bugs have long side tangents and numerous messages,
and that old discussion is not necessarily helpful for figuring out what
Debian Policy should say today.
--
Sean Whitton
[signature.asc (application/pgp-signature, inline)]
Added tag(s) wontfix.
Request was from Sean Whitton <spwhitton@spwhitton.name>
to control@bugs.debian.org.
(Fri, 11 Aug 2017 20:18:04 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 09 Sep 2017 07:35:52 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Jan 13 02:37:30 2018;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.