Package: unattended-upgrades
Version: 0.79.5
Severity: normal
Tags: security
/var/log/unattended-upgrades/ is readable by all, so when this package is
run on a multi-user system, non-admin users can trawl the upgrade logs
for interesting information.
I don't know what they might find.. Which is the concern. When writing a
postinst script, the assumption is probably that only an admin, or
possibly a shoulder-surfer might see its output. So I'd not be surprised
if some of them leak information that is in some way sensative, though
probably not password-level sensitive.
Ah, let's pick on one of my own packages -- when etckeeper is installed,
it makes commits of changes in /etc and allows git to display its usual
summary of changes. So the log can contain something like this:
[master d7acbf4] saving uncommitted changes in /etc prior to apt run
2 files changed, 317 insertions(+)
create mode 100644 ssl/private/apache.pem
create mode 100644 ssl/certs/apache.pem
.. Exposing the contents of directories that normal users
cannot see inside of. I would not worry much if a shoulder-surfer saw that,
but it's worrying to think that a user could extract all such messages from
all the upgrade logs and combine them to facilitate other attacks.
For example, in this case, a wily attacker might notice that I seem to
accidentially have an insecure o+r mode on the apache ssl cert, which is
protected only by the mode of /etc/ssl/private. Now they can look for a
security hole that allows hard linking to arbitrary files as root..
Any reason not to make the directory 750 root.adm?
--
see shy jo
signature.asc
Description: Digital signature
