Hi Michael,

 

thank's for your response. The permission setting you described is exactly the 
setting I found on my host(s):

root@intra:/etc/freeradius# ls -ldR /etc/freeradius/

drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/

 

_But_ in combination with the /etc/freeradius/users permission setting:

root@intra:/etc/freeradius# ls -ldR /etc/freeradius/users 

-rw-r--r-- 1 root root 6524 Jul 26  2017 /etc/freeradius/users

 

An "other" user can simply read the (maybe sensitive) content via a simple "cat 
/etc/freeradius/users".

 

So, from my point of view the /etc/freeradius permissions should for example be 
set to 750 or the files within this directory (especially the „users“ file) 
need more restrictive permissions. 

 

Sorry for not sending the bugreport from the affected host, but in this case I 
think it is not necessary anymore?

 

Greets

Simon

 

 

Von: mich...@i3wm.org [mailto:mich...@i3wm.org] Im Auftrag von Michael 
Stapelberg
Gesendet: Sonntag, 25. Februar 2018 16:13
An: Simon Boldinger <si...@turnagile.com>; 890...@bugs.debian.org
Betreff: Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File 
permissions allow access to sensitive information by "others"

 

Hey Simon,

 

On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <si...@turnagile.com 
<mailto:si...@turnagile.com> > wrote:

Package: freeradius
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

first of all, I already shared the following information with the debian
security team and they asked me to file this as a bug report: "I'm not why the
Debian packaging diverges, can you please file a bug against freeradius to have
the discussion with the maintainers in public?", Moritz Muehlenhoff from debian
security team.

Issue:
It seems, that sensitive information (for example stored in
/etc/freeradius/users) can be read by every system user ("others"). After
asking the freeradius team I was told, that the /etc/freeradius directory has
permissions 750 on their install (see Makefile). On my standard ubuntu/debian
package installation there is another/divergent permission set, which allows
every system user to access the freeradius directory (and therefore also some
files like /etc/freeradius/users which can contain sensitive information).

 

I cannot reproduce this. After “apt install freeradius” on debian sid, I end up 
with the following directory:

 

root@a584ef009927:/# ls -ldR /etc/freeradius

drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius

 

The permissions are set up by 
https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23

 

Unfortunately, your bug report was not filed from the machine on which you 
installed freeradius, so I can’t see which version of the package you’re using.

 

Can you provide more details on your installation, along with the result of ls 
-ldR /etc/freeradius please?

 


I assume the debian freeradius package should be adapted, so that access to the
whole /etc/freeradius directory is restricted, as intended by the freeradius
team.

Best regards
Simon Boldinger



-- System Information:
Debian Release: stretch/sid
  APT prefers artful-updates
  APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 
'artful'), (100, 'artful-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
pn  freeradius-common  <none>
pn  freeradius-config  <none>
ii  libc6              2.26-0ubuntu2.1
pn  libct4             <none>
pn  libfreeradius3     <none>
ii  libgdbm3           1.8.3-14
ii  libpam0g           1.1.8-3.2ubuntu3
ii  libperl5.26        5.26.0-8ubuntu1
ii  libpython2.7       2.7.14-2ubuntu2
ii  libreadline7       7.0-0ubuntu2
ii  libsqlite3-0       3.19.3-3
ii  libssl1.0.0        1.0.2g-1ubuntu13.3
ii  libtalloc2         2.1.9-2ubuntu1
ii  libwbclient0       2:4.6.7+dfsg-1ubuntu3.1
ii  lsb-base           9.20160110ubuntu5

Versions of packages freeradius recommends:
pn  freeradius-utils  <none>

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
pn  freeradius-ldap        <none>
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  snmp                   <none>

_______________________________________________
Pkg-freeradius-maintainers mailing list
pkg-freeradius-maintain...@lists.alioth.debian.org 
<mailto:pkg-freeradius-maintain...@lists.alioth.debian.org> 
https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers





 

-- 

Best regards,
Michael

Reply via email to