Debian Bug report logs - #620458
base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp

Package: general; Maintainer for general is debian-devel@lists.debian.org;

Reported by: Josh Triplett <josh@joshtriplett.org>

Date: Sat, 2 Apr 2011 01:15:01 UTC

Severity: wishlist

Done: Holger Levsen <holger@layer-acht.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, josh@joshtriplett.org, Santiago Vila <sanvila@debian.org>:
Bug#620458; Package base-files. (Sat, 02 Apr 2011 01:15:04 GMT) Full text and rfc822 format available.

Message #3 received at submit@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@joshtriplett.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Fri, 01 Apr 2011 18:11:25 -0700
Package: base-files
Version: 6.1
Severity: wishlist

/tmp and /var/lock currently allow writes by anyone, with the sticky bit
set to only allow removal by the owner.  Please consider doing the same
for /var/run.  That would allow daemons run as non-root users (including
those run as part of user sessions) to put their sockets in /var/run.

Thanks,
Josh Triplett

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages base-files depends on:
ii  gawk [awk]                1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  mawk [awk]                1.3.3-15       a pattern scanning and text proces

base-files recommends no packages.

base-files suggests no packages.

-- no debconf information




Added indication that bug 620458 blocks 620454 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 01:51:03 GMT) Full text and rfc822 format available.

Added indication that bug 620458 blocks 620456 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 01:51:06 GMT) Full text and rfc822 format available.

Added indication that bug 620458 blocks 620457 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 01:51:09 GMT) Full text and rfc822 format available.

Added indication that bug 620458 blocks 620450 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 01:51:12 GMT) Full text and rfc822 format available.

Removed indication that bug 620458 blocks 620450 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 08:09:07 GMT) Full text and rfc822 format available.

Removed indication that bug 620458 blocks 620454 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 08:21:10 GMT) Full text and rfc822 format available.

Removed indication that bug 620458 blocks 620456 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 08:21:15 GMT) Full text and rfc822 format available.

Removed indication that bug 620458 blocks 620457 Request was from Josh Triplett <josh@joshtriplett.org> to control@bugs.debian.org. (Sat, 02 Apr 2011 08:21:17 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, josh@joshtriplett.org, Santiago Vila <sanvila@debian.org>:
Bug#620458; Package base-files. (Sat, 02 Apr 2011 08:33:06 GMT) Full text and rfc822 format available.

Message #22 received at 620458@bugs.debian.org (full text, mbox):

From: Josh Triplett <josh@joshtriplett.org>
To: Debian Bug Tracking System <620458@bugs.debian.org>
Subject: Re: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Sat, 02 Apr 2011 01:29:55 -0700
Package: base-files
Followup-For: Bug #620458

A followup note regarding this request: this would need to happen in
conjunction with some auditing of software using /var/run, to make sure
that software doesn't have insecure temporary file vulnerabilities.

- Josh Triplett

-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages base-files depends on:
ii  gawk [awk]                1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  mawk [awk]                1.3.3-15       a pattern scanning and text proces

base-files recommends no packages.

base-files suggests no packages.

-- no debconf information




Bug reassigned from package 'base-files' to 'general'. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. (Tue, 05 Apr 2011 15:30:10 GMT) Full text and rfc822 format available.

Bug No longer marked as found in versions base-files/6.1. Request was from Santiago Vila <sanvila@unex.es> to control@bugs.debian.org. (Tue, 05 Apr 2011 15:30:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 15:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Santiago Vila <sanvila@unex.es>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 15:36:03 GMT) Full text and rfc822 format available.

Message #31 received at 620458@bugs.debian.org (full text, mbox):

From: Santiago Vila <sanvila@unex.es>
To: Josh Triplett <josh@joshtriplett.org>, 620458@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Tue, 5 Apr 2011 17:27:20 +0200 (CEST)
reassign 620458 general
thanks

On Fri, 1 Apr 2011, Josh Triplett wrote:

> Package: base-files
> Version: 6.1
> Severity: wishlist
> 
> /tmp and /var/lock currently allow writes by anyone, with the sticky bit
> set to only allow removal by the owner.  Please consider doing the same
> for /var/run.  That would allow daemons run as non-root users (including
> those run as part of user sessions) to put their sockets in /var/run.

I will be happy to change the default permissions once that every
program is modified to support both 755 and 1777 permissions.

But until then, this is *hardly* a bug in base-files (as I can't fix it)
but a general bug, as it affects a large number of packages, hence the
reassign.




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 15:39:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Biebl <biebl@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 15:39:09 GMT) Full text and rfc822 format available.

Message #36 received at 620458@bugs.debian.org (full text, mbox):

From: Michael Biebl <biebl@debian.org>
To: debian-devel@lists.debian.org, 620458@bugs.debian.org
Subject: Re: Processed: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Tue, 05 Apr 2011 17:38:08 +0200
[Message part 1 (text/plain, inline)]
Am 05.04.2011 17:30, schrieb Debian Bug Tracking System:
> Processing commands for control@bugs.debian.org:
> 
>> reassign 620458 general
> Bug #620458 [base-files] base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
> Bug reassigned from package 'base-files' to 'general'.
> Bug No longer marked as found in versions base-files/6.1.

Very bad idea imho, I'm strongly against it.
The point of /run is not to create a second /tmp, where everyone can write into.

daemons running as regular user should either put it's runtime files in $HOME or
$XDG_RUNTIME_DIR [1]. The latter is relatively new and I'd rather see us embrace
that in Debian and make sure it is setup properly.


Michael

[1] http://standards.freedesktop.org/basedir-spec/basedir-spec-latest.html
-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?

[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 16:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Yaroslav Halchenko <debian@onerussian.com>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 16:36:05 GMT) Full text and rfc822 format available.

Message #41 received at 620458@bugs.debian.org (full text, mbox):

From: Yaroslav Halchenko <debian@onerussian.com>
To: Santiago Vila <sanvila@unex.es>, 620458@bugs.debian.org
Cc: Josh Triplett <josh@joshtriplett.org>
Subject: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Tue, 5 Apr 2011 12:31:59 -0400
sorry for a blunt follow-up -- wouldn't making /var/run writable by
regular mortals  ask for security concerns if an attacker starts
pre-creating files/pipes trying to steal the communications of
daemons spawned by root or just ruin some data on the system by
symlinking against root-owned files?

On Tue, 05 Apr 2011, Santiago Vila wrote:
> > /tmp and /var/lock currently allow writes by anyone, with the sticky bit
> > set to only allow removal by the owner.  Please consider doing the same
> > for /var/run.  That would allow daemons run as non-root users (including
> > those run as part of user sessions) to put their sockets in /var/run.

> I will be happy to change the default permissions once that every
> program is modified to support both 755 and 1777 permissions.

> But until then, this is *hardly* a bug in base-files (as I can't fix it)
> but a general bug, as it affects a large number of packages, hence the
> reassign.
-- 
=------------------------------------------------------------------=
Keep in touch                                     www.onerussian.com
Yaroslav Halchenko                 www.ohloh.net/accounts/yarikoptic




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 16:42:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to md@Linux.IT (Marco d'Itri):
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 16:42:05 GMT) Full text and rfc822 format available.

Message #46 received at 620458@bugs.debian.org (full text, mbox):

From: md@Linux.IT (Marco d'Itri)
Cc: debian-devel@lists.debian.org, 620458@bugs.debian.org
Subject: Re: Processed: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Tue, 5 Apr 2011 18:29:28 +0200
[Message part 1 (text/plain, inline)]
On Apr 05, Michael Biebl <biebl@debian.org> wrote:

> Very bad idea imho, I'm strongly against it.
> The point of /run is not to create a second /tmp, where everyone can write into.
Agreed, I really do not want to consider the security implications of a
world-writeable {,/var}/run.
Programs which use /run are supposed to use a subdirectory anyway.

-- 
ciao,
Marco
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 17:15:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Don Armstrong <don@debian.org>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 17:15:06 GMT) Full text and rfc822 format available.

Message #51 received at 620458@bugs.debian.org (full text, mbox):

From: Don Armstrong <don@debian.org>
To: 620458@bugs.debian.org
Subject: Re: Processed: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Tue, 5 Apr 2011 10:03:10 -0700
On Tue, 05 Apr 2011, Michael Biebl wrote:
> Am 05.04.2011 17:30, schrieb Debian Bug Tracking System:
> > Processing commands for control@bugs.debian.org:
> > 
> >> reassign 620458 general
> > Bug #620458 [base-files] base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
> > Bug reassigned from package 'base-files' to 'general'.
> > Bug No longer marked as found in versions base-files/6.1.
> 
> Very bad idea imho, I'm strongly against it.
> The point of /run is not to create a second /tmp, where everyone can write into.
> 
> daemons running as regular user should either put it's runtime files in $HOME or
> $XDG_RUNTIME_DIR [1].

Since the init scripts get run as root, they should create a
subdirectory of {/var,}/run, chown/chmod it appropriately, and then
start the daemon. [If we're talking about things that get started by a
normal user, then they should use $HOME (or some other more specific
runtime directory.)]


Don Armstrong

-- 
They say when you embark on a journey
of revenge
dig two graves.
They underestimate me.
 -- a softer world #560
    http://www.asofterworld.com/index.php?id=560

http://www.donarmstrong.com              http://rzlab.ucr.edu




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Tue, 05 Apr 2011 21:57:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to russell@coker.com.au:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Tue, 05 Apr 2011 21:57:15 GMT) Full text and rfc822 format available.

Message #56 received at 620458@bugs.debian.org (full text, mbox):

From: Russell Coker <russell@coker.com.au>
To: debian-devel@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>, 620458@bugs.debian.org
Subject: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Wed, 6 Apr 2011 07:48:16 +1000
On Wed, 6 Apr 2011, Yaroslav Halchenko <debian@onerussian.com> wrote:
> sorry for a blunt follow-up -- wouldn't making /var/run writable by
> regular mortals  ask for security concerns if an attacker starts
> pre-creating files/pipes trying to steal the communications of
> daemons spawned by root or just ruin some data on the system by
> symlinking against root-owned files?

There have been security issues with daemons using /tmp for Unix domain 
sockets in the past.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




Information forwarded to debian-bugs-dist@lists.debian.org, debian-devel@lists.debian.org:
Bug#620458; Package general. (Wed, 06 Apr 2011 15:14:23 GMT) Full text and rfc822 format available.

Acknowledgement sent to Goswin von Brederlow <goswin-v-b@web.de>:
Extra info received and forwarded to list. Copy sent to debian-devel@lists.debian.org. (Wed, 06 Apr 2011 15:14:54 GMT) Full text and rfc822 format available.

Message #61 received at 620458@bugs.debian.org (full text, mbox):

From: Goswin von Brederlow <goswin-v-b@web.de>
To: russell@coker.com.au
Cc: debian-devel@lists.debian.org, Yaroslav Halchenko <debian@onerussian.com>, 620458@bugs.debian.org
Subject: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Wed, 06 Apr 2011 16:56:50 +0200
Russell Coker <russell@coker.com.au> writes:

> On Wed, 6 Apr 2011, Yaroslav Halchenko <debian@onerussian.com> wrote:
>> sorry for a blunt follow-up -- wouldn't making /var/run writable by
>> regular mortals  ask for security concerns if an attacker starts
>> pre-creating files/pipes trying to steal the communications of
>> daemons spawned by root or just ruin some data on the system by
>> symlinking against root-owned files?
>
> There have been security issues with daemons using /tmp for Unix domain 
> sockets in the past.

And the same issues would happen in /var/run. A different base path
doesn't make security bugs disapear.

MfG
        Goswin





Reply sent to Holger Levsen <holger@layer-acht.org>:
You have taken responsibility. (Sat, 09 Apr 2011 08:09:45 GMT) Full text and rfc822 format available.

Notification sent to Josh Triplett <josh@joshtriplett.org>:
Bug acknowledged by developer. (Sat, 09 Apr 2011 08:09:52 GMT) Full text and rfc822 format available.

Message #66 received at 620458-done@bugs.debian.org (full text, mbox):

From: Holger Levsen <holger@layer-acht.org>
To: 620458-done@bugs.debian.org
Subject: Re: Processed: Re: Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp
Date: Sat, 9 Apr 2011 10:00:13 +0200
[Message part 1 (text/plain, inline)]
Hi,

On Dienstag, 5. April 2011, Marco d'Itri wrote:
> On Apr 05, Michael Biebl <biebl@debian.org> wrote:
> > Very bad idea imho, I'm strongly against it.
> > The point of /run is not to create a second /tmp, where everyone can
> > write into.
> Agreed, I really do not want to consider the security implications of a
> world-writeable {,/var}/run.
> Programs which use /run are supposed to use a subdirectory anyway.

Agreed, thus closing.


cheers,
	Holger

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 08 May 2011 07:36:59 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 13:41:33 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.