Hi Michael,
thank's for your response. The permission setting you described is exactly the setting I found on my host(s): root@intra:/etc/freeradius# ls -ldR /etc/freeradius/ drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/ _But_ in combination with the /etc/freeradius/users permission setting: root@intra:/etc/freeradius# ls -ldR /etc/freeradius/users -rw-r--r-- 1 root root 6524 Jul 26 2017 /etc/freeradius/users An "other" user can simply read the (maybe sensitive) content via a simple "cat /etc/freeradius/users". So, from my point of view the /etc/freeradius permissions should for example be set to 750 or the files within this directory (especially the „users“ file) need more restrictive permissions. Sorry for not sending the bugreport from the affected host, but in this case I think it is not necessary anymore? Greets Simon Von: mich...@i3wm.org [mailto:mich...@i3wm.org] Im Auftrag von Michael Stapelberg Gesendet: Sonntag, 25. Februar 2018 16:13 An: Simon Boldinger <si...@turnagile.com>; 890...@bugs.debian.org Betreff: Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File permissions allow access to sensitive information by "others" Hey Simon, On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <si...@turnagile.com <mailto:si...@turnagile.com> > wrote: Package: freeradius Severity: grave Tags: security Justification: user security hole Dear Maintainer, first of all, I already shared the following information with the debian security team and they asked me to file this as a bug report: "I'm not why the Debian packaging diverges, can you please file a bug against freeradius to have the discussion with the maintainers in public?", Moritz Muehlenhoff from debian security team. Issue: It seems, that sensitive information (for example stored in /etc/freeradius/users) can be read by every system user ("others"). After asking the freeradius team I was told, that the /etc/freeradius directory has permissions 750 on their install (see Makefile). On my standard ubuntu/debian package installation there is another/divergent permission set, which allows every system user to access the freeradius directory (and therefore also some files like /etc/freeradius/users which can contain sensitive information). I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory: root@a584ef009927:/# ls -ldR /etc/freeradius drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius The permissions are set up by https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23 Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using. Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please? I assume the debian freeradius package should be adapted, so that access to the whole /etc/freeradius directory is restricted, as intended by the freeradius team. Best regards Simon Boldinger -- System Information: Debian Release: stretch/sid APT prefers artful-updates APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages freeradius depends on: pn freeradius-common <none> pn freeradius-config <none> ii libc6 2.26-0ubuntu2.1 pn libct4 <none> pn libfreeradius3 <none> ii libgdbm3 1.8.3-14 ii libpam0g 1.1.8-3.2ubuntu3 ii libperl5.26 5.26.0-8ubuntu1 ii libpython2.7 2.7.14-2ubuntu2 ii libreadline7 7.0-0ubuntu2 ii libsqlite3-0 3.19.3-3 ii libssl1.0.0 1.0.2g-1ubuntu13.3 ii libtalloc2 2.1.9-2ubuntu1 ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1 ii lsb-base 9.20160110ubuntu5 Versions of packages freeradius recommends: pn freeradius-utils <none> Versions of packages freeradius suggests: pn freeradius-krb5 <none> pn freeradius-ldap <none> pn freeradius-mysql <none> pn freeradius-postgresql <none> pn snmp <none> _______________________________________________ Pkg-freeradius-maintainers mailing list pkg-freeradius-maintain...@lists.alioth.debian.org <mailto:pkg-freeradius-maintain...@lists.alioth.debian.org> https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers -- Best regards, Michael