Bug#494648: The possibility of attack with the help of symlinks in some Debian packages

[Dmitry E. Oboukhov]

SD>> On 00:38 Thu 14 Aug     , Sven Dowideit wrote:
SD>>> No, I was told by Nico or Joey that web apps should not be filling up
SD>>> the /var filesystem with session files.
SD>> 
SD>>> this is apparently also _not_ a solution.
SD>> 
SD>>> /tmp was determined in October 2007 as the best place
SD>> 
SD>> Ok, Yoy can do it (in your postinst):
SD>> 
SD>> twiki_session_dir=`mktemp -d /tmp/twiki.XXXXXXXXXX`
SD>> chown www-data:www-data $twiki_session_dir # or chown $TWIKI_OWNER:www-data
SD>> chmod 0750 $twiki_session_dir # or chmod 1770 if $TWIKI_OWNER != www-data
SD>> perl -pi -e "s/(TempfileDir).*/$1} = '$twiki_session_dir';" \
SD>>     /etc/twiki/LocalSite.cfg
SD>> 
SD>> attributes must be 0750 or 0770 or 0700 if owner==www-data
SD>> or 1770 if owner != www-data ($TWIKI_OWNER)
SD>> 
SD> and then on upgrade, create another one because the user selected to
SD> overwrite the cfg, and so on - sounds like its less of a solution than
SD> to use a predictable dir, with a more appropriate attempt to make sure
SD> its safe.

SD> it worries me that you appear to be contradicting the permissions I was
SD> required to set up for #444982 - I'm not quite sure who's advice should
SD> get priority - Joey's or yours.

SD> Perhaps I should set up a google fight.

Full algorithm:

1. You change debian/LocalSite.cfg: s{/tmp/wiki}{#UNDEFINED_TEMP_DIR#};

2. in postinst You do:

2.1 

if grep -q #UNDEFINED_TEMP_DIR# /etc/twiki/LocalSite.cfg; then
        twiki_session_dir=`mktemp -d /tmp/twiki.XXXXXXXXXX`
        perl -pi -e \
            "s/(TempfileDir).*/$1} = '$twiki_session_dir';/" \
            /etc/twiki/LocalSite.cfg
    chown $TWIKI_OWNER:www-data $twiki_session_dir
else
        twiki_session_dir=`grep TempfileDir /etc/twiki/LocalSite.cfg \
            | sed "s/=[[:space:]]*'//"|sed "s/'.*//"`
fi

# [1]
chmod 1770 $twiki_session_dir


in [1] you can insert the verification code, for example:

if test -d $twiki_session_dir; then
    # $twiki_session_dir is directory and exists
    found_owner=`ls -l $twiki_session_dir|awk '{ print $3 }'`
    found_group=`ls -l $twiki_session_dir|awk '{ print $4 }'`

    if test $found_owner = $TWIKI_OWNER -a \
            $found_group = www-data; then
        # previous install is ok (owner:group)
    else
        # unknown owner
    fi
else
    #   $twiki_session_dir is not directory
    # you can recreate it with new path
fi

3. You can show errors with help of debhelper's dialogs.


--
... mpd is off

. ''`. Dmitry E. Oboukhov
: :’  : [EMAIL PROTECTED]
`. `~’ GPGKey: 1024D / F8E26537 2006-11-21
  `- 1B23 D4F8 8EC0 D902 0555  E438 AB8C 00CF F8E2 6537

signature.asc
Description: Digital signature