Your message dated Tue, 31 Mar 2009 21:17:17 +0000
with message-id <e1lolkf-0006ok...@ries.debian.org>
and subject line Bug#518518: fixed in backuppc 3.1.0-6
has caused the Debian Bug report #518518,
regarding backuppc: web frontend installed insecurely by default
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
518518: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=518518
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: backuppc
Version: 3.1.0-4
Severity: grave
Tags: security
Justification: user security hole
Hi,
The CGI script of the web frontend is installed setuid to the backuppc user.
This means that any local user of the system can run the CGI script as the
backuppc user. The CGI script simply reads the REMOTE_USER environment
variable to check permissions which can be faked by the invoking user. The
CGI also seems to treat the absense of the REMOTE_USER variable as allowing
full access!
As an example on a default install that backs up /etc (the 'localhost' host)
the following command will reveal the password hashes for the web interface
(stored in /etc/backuppc/htpasswd and which should be readable only by the
backuppc user):
/usr/share/backuppc/cgi-bin/index.cgi action=RestoreFile host=localhost num=0
share=/etc dir=/backuppc/htpasswd
Note that if backuppc is used to fully backup other machines as root (the
recommended configuration) then it is possible using this method to read files
such as the backed up /etc/shadow !!
Thanks,
Steve
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (601, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages backuppc depends on:
ii adduser 3.110 add and remove users and groups
ii apache2 2.2.9-10+lenny2 Apache HTTP Server metapackage
ii apache2-mpm-worker [http 2.2.9-10+lenny2 Apache HTTP Server - high speed th
ii bzip2 1.0.5-1 high-quality block-sorting file co
ii debconf [debconf-2.0] 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libarchive-zip-perl 1.18-1 Module for manipulation of ZIP arc
ii libcompress-zlib-perl 2.012-1 Perl module for creation and manip
ii perl [libdigest-md5-perl 5.10.0-19 Larry Wall's Practical Extraction
ii perl-suid 5.10.0-19 Runs setuid Perl scripts
ii samba-common 2:3.2.5-4 Samba common files used by both th
ii smbclient 2:3.2.5-4 a LanManager-like simple client fo
ii tar 1.20-1 GNU version of the tar archiving u
Versions of packages backuppc recommends:
ii exim4 4.69-9 metapackage to ease Exim MTA (v4)
ii exim4-daemon-light [mail-tra 4.69-9 lightweight Exim MTA (v4) daemon
ii libfile-rsyncp-perl 0.68-1.1+b1 A perl based implementation of an
ii openssh-client [ssh-client] 1:5.1p1-5 secure shell client, an rlogin/rsh
ii rrdtool 1.3.1-4 Time-series data storage and displ
ii rsync 3.0.3-2 fast remote file copy program (lik
Versions of packages backuppc suggests:
ii iceweasel [www-browser] 3.0.6-1 lightweight web browser based on M
ii links [www-browser] 2.1pre37-1.1 Web browser running in text mode
pn par2 <none> (no description available)
ii w3m [www-browser] 0.5.2-2+b1 WWW browsable pager with excellent
-- debconf information:
backuppc/restart-webserver: true
* backuppc/configuration-note:
* backuppc/reconfigure-webserver: apache2
--- End Message ---
--- Begin Message ---
Source: backuppc
Source-Version: 3.1.0-6
We believe that the bug you reported is fixed in the latest version of
backuppc, which is due to be installed in the Debian FTP archive:
backuppc_3.1.0-6.diff.gz
to pool/main/b/backuppc/backuppc_3.1.0-6.diff.gz
backuppc_3.1.0-6.dsc
to pool/main/b/backuppc/backuppc_3.1.0-6.dsc
backuppc_3.1.0-6_all.deb
to pool/main/b/backuppc/backuppc_3.1.0-6_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 518...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ludovic Drolez <ldro...@debian.org> (supplier of updated backuppc package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 31 Mar 2009 11:30:48 +0200
Source: backuppc
Binary: backuppc
Architecture: source all
Version: 3.1.0-6
Distribution: unstable
Urgency: high
Maintainer: Ludovic Drolez <ldro...@debian.org>
Changed-By: Ludovic Drolez <ldro...@debian.org>
Description:
backuppc - high-performance, enterprise-grade system for backing up PCs
Closes: 518518
Changes:
backuppc (3.1.0-6) unstable; urgency=high
.
* Fix the permissions of the CGI script. Closes: #518518
* Fix the permissions of htpasswd/htgroup files
* Enabled MD5 hash for htpasswd by default
Checksums-Sha1:
ee3c67bcb500c2c130a715676c4681f5268ae266 1009 backuppc_3.1.0-6.dsc
712fec8831efa98a684257e360759df28a5417a7 25335 backuppc_3.1.0-6.diff.gz
309bffadf59269247d09362c360f02d9708e6bab 541976 backuppc_3.1.0-6_all.deb
Checksums-Sha256:
b717b2afd2c1dd6064ee6e0bdf9df87cb2e52a9198626d0c073488b12b35d0b4 1009
backuppc_3.1.0-6.dsc
80ff0aad33dfcb77cc545867bb9e59a17787935f826f87e2b04c26fa32c70d60 25335
backuppc_3.1.0-6.diff.gz
cc3b8e44e2e3f0f82b7339e31b707652c9a433683a99299198297d14505a9dfe 541976
backuppc_3.1.0-6_all.deb
Files:
bb4ec88eb9118cdf1292a9c59d323c5d 1009 utils optional backuppc_3.1.0-6.dsc
0be596aa7952f1b51328f0d2bed091f5 25335 utils optional backuppc_3.1.0-6.diff.gz
6539ce6efeb77c3d082c7fc3febecd1d 541976 utils optional backuppc_3.1.0-6_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknSdSoACgkQsRlQAP1GppileQCeOpxJ8TnH4icA92yZCiyGoRLu
+aUAoIXJ/+tLiQB+M7aFZnPdJdKXCAlG
=b6dL
-----END PGP SIGNATURE-----
--- End Message ---