Your message dated Sun, 23 Feb 2014 19:09:42 +0100
with message-id <[email protected]>
and subject line Re: Bug#739902: apt-listbugs: incorrect warning for Insecure 
world writable dir /tmp/
has caused the Debian Bug report #739902,
regarding apt-listbugs: incorrect warning for Insecure world writable dir /tmp/
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
739902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739902
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt-listbugs
Version: 0.1.12
Severity: minor

When running, apt-listbugs displays a warning:
"/usr/sbin/apt-listbugs:282: warning: Insecure world writable dir /tmp/.
in PATH, mode 041777"

My /tmp is indeed in this mode (rwx rwx rwt), but those access
permissions are ok.


-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt-listbugs depends on:
ii  apt                           0.9.15.2
ii  ruby                          1:1.9.3
ii  ruby-debian                   0.3.8+b2
ii  ruby-gettext                  3.0.3-2
ii  ruby-httpclient               2.3.3-2
ii  ruby-soap4r                   2.0.5-3
ii  ruby-xmlparser                0.7.2-3
ii  ruby1.9.1 [ruby-interpreter]  1.9.3.484-1

apt-listbugs recommends no packages.

Versions of packages apt-listbugs suggests:
ii  debianutils             4.4
ii  elinks [www-browser]    0.12~pre6-4
ii  lynx-cur [www-browser]  2.8.8pre5-1
ii  reportbug               6.5.0

-- no debconf information

--- End Message ---
--- Begin Message ---
On Sun, 23 Feb 2014 17:09:29 +0000 Damien CLAUZEL wrote:

> Package: apt-listbugs
> Version: 0.1.12
> Severity: minor
> 
> When running, apt-listbugs displays a warning:
> "/usr/sbin/apt-listbugs:282: warning: Insecure world writable dir /tmp/.
> in PATH, mode 041777"
> 
> My /tmp is indeed in this mode (rwx rwx rwt), but those access
> permissions are ok.

Hello Damien,
thanks for your bug report.

I have the same exact permissions for /tmp and apt-listbugs does not
complain.

However, looking closer at the warning, it says that the insecure world
writable directory (/tmp) is in your PATH !
That is to say, you have /tmp in your PATH environment variable!!!

I have just reproduced the behavior you experienced, by (temporarily)
adding /tmp to my PATH environment variable.

Having /tmp in the PATH is indeed not recommended, since any user could
put a malicious executable in /tmp and trick you into running it as a
"normal" command; depending on the position of /tmp in your PATH,
executable files with conflicting names could even take precedence over
system commands!
Hence, it's good that the Ruby interpreter warns you about this
potential security issue, when calling a system command (dpkg-query is
invoked at line 282 of /usr/sbin/apt-listbugs).

I strongly recommend you to avoid putting /tmp into your PATH
environment variable.

I am closing your bug report, since the behavior you experienced is not
a bug, it's a feature to warn you about a potential security
issue in your setup.

I hope my reply clarifies the situation.
Bye.


-- 
 http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
 New GnuPG key, see the transition document!
..................................................... Francesco Poli .
 GnuPG key fpr == CA01 1147 9CD2 EFDF FB82  3925 3E1C 27E1 1F69 BFFE

Attachment: pgpwI3XRZs064.pgp
Description: PGP signature


--- End Message ---

Reply via email to