On Fri, Jul 01, 2011 at 10:08:47AM -0400, Jim Paris wrote: > Package: libvirt-bin > Version: 0.9.2-5 > Severity: normal > > On the libvirt mailing list, I noticed this patch: > > http://www.redhat.com/archives/libvir-list/2011-May/msg01367.html > Subject: [PATCH] libvirt.spec: /var/cache/libvirt should be 0711. > > I was curious to see if this packaging change made its way to Debian, > but it seems that we don't set _any_ of the permissions like the .spec > file does. The particular bug they were trying to fix likely doesn't > exist in Debian because our /var/cache/libvirt is already overly > permissive, but this seems like an oversight and can be a potential > security issue (information leakage due to default 0755 rather than > the more restrictive permissions that the .spec file lists). Looking at the dirs I dont' think were're actually leaking information at the moment but it might be better to stay close to upstream in case it puts sensible files there. Thanks, -- Guido
-- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
