subject:"Bug#916833\: SECURITY\: world writable \/srv\/local\/share\/ca\-certificates"

Bug#916833: SECURITY: world writable /srv/local/share/ca-certificates

2018-12-19 Thread Michael Shuler

On 12/19/18 3:10 AM, Maurizio Sartori wrote:
> 
>* Possible correction
>   The problem seems to be in
>  /var/lib/dpkg/info/ca-certificates.postinst
>   the stat command should have the '-L' switch
> 
>   So for example:
>  chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
>  chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) 
> /usr/local/share/ca-certificates
>   should became
>  chmod $(stat -c %a -L /usr/local) /usr/local/share/ca-certificates
>  chown $(stat -c %u -L /usr/local):$(stat -c %g -L /usr/local) 
> /usr/local/share/ca-certificates

Thanks for the bug report.

-- 
Kind regards,
Michael

Bug#916833: SECURITY: world writable /srv/local/share/ca-certificates

2018-12-19 Thread Maurizio Sartori

Package: ca-certificates
Version: 20180409
Severity: normal

Dear Maintainer,

   * What led up to the situation?
  my /usr/local dir is a symlink to /srv/local

   * What exactly did you do (or not do) that was effective (or ineffective)?
  after a
 dpkg-reconfigure ca-certificates
  the directory /srv/local/share/ca-certificates becames world writable!

  Here is an example session
 # ls -flad / /usr /usr/local /srv/local /srv/local/share 
/srv/local/share/ca-certificates
drwxr-xr-x 24 root root  4096 Dec  6 17:19 /
drwxr-xr-x  9 root root  4096 Dec  2 16:54 /usr
lrwxrwxrwx  1 root root10 Dec  2 16:54 /usr/local -> /srv/local
drwxr-xr-x 16 root root  4096 Dec  2 16:50 /srv/local
drwxrwsr-x  8 root staff 4096 Dec 19 10:01 /srv/local/share
drwxr-sr-x  2 root root  4096 Dec 19 09:26 
/srv/local/share/ca-certificates
 # dpkg-reconfigure ca-certificates
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Processing triggers for ca-certificates (20180409) ...
Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...

done.
done.
 # ls -flad / /usr /usr/local /srv/local /srv/local/share 
/srv/local/share/ca-certificates 
drwxr-xr-x 24 root root  4096 Dec  6 17:19 /
drwxr-xr-x  9 root root  4096 Dec  2 16:54 /usr
lrwxrwxrwx  1 root root10 Dec  2 16:54 /usr/local -> /srv/local
drwxr-xr-x 16 root root  4096 Dec  2 16:50 /srv/local
drwxrwsr-x  8 root staff 4096 Dec 19 10:01 /srv/local/share
drwxrwsrwx  2 root root  4096 Dec 19 09:26 
/srv/local/share/ca-certificates

  Note the changed permission of /srv/local/share/ca-certificates
drwxr-sr-x   ->   drwxrwsrwx

   * What outcome did you expect instead?
  keep a safe permission

   * Possible correction
  The problem seems to be in
 /var/lib/dpkg/info/ca-certificates.postinst
  the stat command should have the '-L' switch

  So for example:
 chmod $(stat -c %a /usr/local) /usr/local/share/ca-certificates
 chown $(stat -c %u /usr/local):$(stat -c %g /usr/local) 
/usr/local/share/ca-certificates
  should became
 chmod $(stat -c %a -L /usr/local) /usr/local/share/ca-certificates
 chown $(stat -c %u -L /usr/local):$(stat -c %g -L /usr/local) 
/usr/local/share/ca-certificates

-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.18.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US:en 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages ca-certificates depends on:
ii  debconf [debconf-2.0]  1.5.69
ii  openssl1.1.1a-1

ca-certificates recommends no packages.

ca-certificates suggests no packages.

-- debconf information excluded

Bug#916833: SECURITY: world writable /srv/local/share/ca-certificates

Bug#916833: SECURITY: world writable /srv/local/share/ca-certificates

2 matches

Site Navigation

Mail list logo

Footer information