On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote: > > There are lots of ways that one can manage to lose ACLs and EAs on > > files using traditional Unix tools;
> But shouldn't simply *all* problematic packages be filed a security bug? The BTS definition of the security tag is: This bug describes a security problem in a package (e.g., bad permissions allowing access to data that shouldn't be accessible; buffer overruns allowing people to control a system in ways they shouldn't be able to; denial of service attacks that should be fixed, etc). Most security bugs should also be set at critical or grave severity. I don't think this bug really qualifies; it may *lead* to bad permissions as a result of a user using sed -i without understanding the consequences, but it's not a hole in the package that an attacker is exploiting directly (which is how I understand the "security" tag). This bug only manifests if the user assumes that standard Unix tools work out-of-the-box with ACLs and EAs -- a very foolish assumption at this point. Tagging this bug 'security' also doesn't help our security team, as this isn't a bug they're going to be trying to fix. Anyway, as far as security is concerned, I would expect anyone using extended ACLs that need to *block* access to users that would otherwise be permitted to set appropriate default ACLs on the parent directory, so that files are automatically created with appropriately strict permissions. > > Given that most users are going to get this wrong when *not* using the > > -i option to sed for in-place editing, I don't see any grounds for > > treating this as a grave bug. > I see this the opposite way: that make the bug and it's little brothers > more serious, because it's not isolated... I don't think that's realistic. I suspect there are quite a number of package maintainer scripts that don't even preserve *basic* Unix permissions when making changes to config files. These are certainly bugs, I agree with that, but it just doesn't make any sense to treat them as release-critical AFAICS. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/
signature.asc
Description: Digital signature
