Source: audit, rust-laurel Severity: important X-Debbugs-Cc: Helmut Grohne <hel...@subdivi.de>
Hi! While analyzing the archive for mismatched file metadata (as part of the preparation to add support into dpkg), thanks to Helmut gathering the data from the archive. I noticed that these two source packages generate binaries that have a mismatch in the permissions for the /etc/audit/ and /etc/audit/plugins.d/ directories, where there could be security implications, if the contents are expected to contain secrets that only root is supposed to read, as the permissions of the directory are decided by the first package being unpacked, and subsequent directory unpacks get ignored (including any change in permissions). $ dpkg-deb -c audispd-plugins_1%3a4.0.1-1_amd64.deb | grep '/etc/audit.*/$' drwxr-x--- root/root 0 2024-08-09 11:04 ./etc/audit/ drwxr-x--- root/root 0 2024-08-09 11:04 ./etc/audit/plugins.d/ $ dpkg-deb -c auditd_1%3a4.0.1-1_amd64.deb | grep '/etc/audit.*/$' drwxr-x--- root/root 0 2024-08-09 11:04 ./etc/audit/ drwxr-x--- root/root 0 2024-08-09 11:04 ./etc/audit/plugins.d/ drwxr-x--- root/root 0 2024-08-09 11:04 ./etc/audit/rules.d/ $ dpkg-deb -c laurel_0.6.3-1_amd64.deb | grep '/etc/audit.*/$' drwxr-xr-x root/root 0 2024-09-11 10:33 ./etc/audit/ drwxr-xr-x root/root 0 2024-09-11 10:33 ./etc/audit/plugins.d/ I assume the correct ones are coming from the audit source, but assigned to both for awareness and coordination purposes, feel free to reassign to whichever might need to adapt the permissions. If this has security implications then it might be worth to set the security tag, and rise the severity and perhaps prepare a change for a stable update too? If there are no security implications, it would still be good to make the permissions consistent, otherwise dpkg would start warning or erroring out on mismatched metadata once the support gets in and is enabled. Thanks, Guillem
