Package: coreutils Version: 5.97-5.3 Severity: normal
cp -p doesn't update the group on a file before writing data into the target. That means that during the copy, users you didn't intend to be able to read the file can read the file. For example: | Running running Debian GNU/Linux 4.0 (etch) on i686. | | techhouse-0:/scratch/soren=> ls -l spool.16Aug07 | -rw-r----- 1 soren adm 43105807 2007-08-15 21:17 spool.16Aug07 | techhouse-0:/scratch/soren=> cp -p spool.16Aug07 whenadm | [3] + Stopped cp -p spool.16Aug07 whenadm | techhouse-0:/scratch/soren=> ls -l whenadm | -rw-r----- 1 soren ssl-cert 16728064 2007-08-16 21:41 whenadm | [huh, why can ssl-cert users (26 of them) read my file?] | [oddly my primary GID is ssl-cert; I think that used to be 'users' ;p] | techhouse-0:/scratch/soren=> fg | cp -p spool.16Aug07 whenadm | `[now that it's finished] | techhouse-0:/scratch/soren=> ls -l whenadm | -rw-r----- 1 soren adm 43105807 2007-08-15 21:17 whenadm | [and finally it's right] This bug is fixed in upstream (6.9), but the latest version of the Debian package is 5.97. http://lists.gnu.org/archive/html/bug-coreutils/2007-08/msg00106.html -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-4-686 Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Versions of packages coreutils depends on: ii libacl1 2.2.41-1 Access control list shared library ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries ii libselinux1 1.32-3 SELinux shared libraries coreutils recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
