No reply to this in nearly 2 years. My opinion didn't change, IMHO it is user-requested behaviour to get things writable by group is you set umask to 02 -- that's what umask *does*.
If anybody disagrees, you can do either of these three: 1) convince the security team to rule that this is indeed a security bug and behaviour must be changed 2) convince lintian maintainers likewise. Nobody so far disagreed here in this buglog or tended to this bugreport, so I assume the team agrees with me here: you'd most likely need new argumentation for that 3) Appeal to tech-ctte if the above fails Otherwise, I'll close this bugreport by the end of the year. --Jeroen On Tue, Dec 21, 2004 at 03:34:54PM +0100, Jeroen van Wolffelaar wrote: > On Tue, Dec 21, 2004 at 03:26:12PM +0100, Martin Schulze wrote: > > I haven't verified that this code is executed for each lintian execution. > > However, if it is, then its an issue since the process does not fail if > > mkdir fails, instead the directory is used. > > This is simply not true, see [1]. This code is executed every lintian > invocation, but a failing mkdir _will_ abort lintian. > > The current discussion is about whether or not it is okay for lintian to > use a directory made with current umask, since for example an umask of > 02 would render you vulnerable to attacks by members of the same > group[2]. > > In my opinion, this is a user-error having 02 umask with > untrusted members of the same group[3], but the bug submitter > disagrees[4]. > > Sorry for the mess that this buglog is, at the moment... > > --Jeroen > > [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=12 > [2] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=24 > [3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=27 > [4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=286379&msg=36 > > -- > Jeroen van Wolffelaar > [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) > http://Jeroen.A-Eskwadraat.nl > > -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]