Your message dated Sun, 23 Feb 2014 19:09:42 +0100
with message-id <[email protected]>
and subject line Re: Bug#739902: apt-listbugs: incorrect warning for Insecure
world writable dir /tmp/
has caused the Debian Bug report #739902,
regarding apt-listbugs: incorrect warning for Insecure world writable dir /tmp/
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
739902: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739902
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: apt-listbugs
Version: 0.1.12
Severity: minor
When running, apt-listbugs displays a warning:
"/usr/sbin/apt-listbugs:282: warning: Insecure world writable dir /tmp/.
in PATH, mode 041777"
My /tmp is indeed in this mode (rwx rwx rwt), but those access
permissions are ok.
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.12-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) (ignored: LC_ALL
set to fr_FR.UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apt-listbugs depends on:
ii apt 0.9.15.2
ii ruby 1:1.9.3
ii ruby-debian 0.3.8+b2
ii ruby-gettext 3.0.3-2
ii ruby-httpclient 2.3.3-2
ii ruby-soap4r 2.0.5-3
ii ruby-xmlparser 0.7.2-3
ii ruby1.9.1 [ruby-interpreter] 1.9.3.484-1
apt-listbugs recommends no packages.
Versions of packages apt-listbugs suggests:
ii debianutils 4.4
ii elinks [www-browser] 0.12~pre6-4
ii lynx-cur [www-browser] 2.8.8pre5-1
ii reportbug 6.5.0
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sun, 23 Feb 2014 17:09:29 +0000 Damien CLAUZEL wrote:
> Package: apt-listbugs
> Version: 0.1.12
> Severity: minor
>
> When running, apt-listbugs displays a warning:
> "/usr/sbin/apt-listbugs:282: warning: Insecure world writable dir /tmp/.
> in PATH, mode 041777"
>
> My /tmp is indeed in this mode (rwx rwx rwt), but those access
> permissions are ok.
Hello Damien,
thanks for your bug report.
I have the same exact permissions for /tmp and apt-listbugs does not
complain.
However, looking closer at the warning, it says that the insecure world
writable directory (/tmp) is in your PATH !
That is to say, you have /tmp in your PATH environment variable!!!
I have just reproduced the behavior you experienced, by (temporarily)
adding /tmp to my PATH environment variable.
Having /tmp in the PATH is indeed not recommended, since any user could
put a malicious executable in /tmp and trick you into running it as a
"normal" command; depending on the position of /tmp in your PATH,
executable files with conflicting names could even take precedence over
system commands!
Hence, it's good that the Ruby interpreter warns you about this
potential security issue, when calling a system command (dpkg-query is
invoked at line 282 of /usr/sbin/apt-listbugs).
I strongly recommend you to avoid putting /tmp into your PATH
environment variable.
I am closing your bug report, since the behavior you experienced is not
a bug, it's a feature to warn you about a potential security
issue in your setup.
I hope my reply clarifies the situation.
Bye.
--
http://www.inventati.org/frx/frx-gpg-key-transition-2010.txt
New GnuPG key, see the transition document!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpwI3XRZs064.pgp
Description: PGP signature
--- End Message ---