Bug#366816: xmcdconfig creates cddb directories with mode 777

Thu, 11 May 2006 05:01:46 -0700 

Package: xmcd
Version: 2.6-17.1
Severity: grave
Tags: security patch
Justification: causes non-serious data loss

Symptoms: /usr/sbin/xmcdconfig creates directories world-writeable
        below /var/lib/cddb and /var/lib/xmcd/discog

Risk: unprivileged users (including any subverted PHP-script running
        as "nobody") can fill up the filesystem, or delete all my
        collected cddb discography data.

This bug has been noticed before, and attempted fixes are already
present in the postinsts for cddb and xmcd - the permissions they're
aiming at are the much saner "root:audio 03775".  Unfortunately,
/usr/sbin/xmcdconfig may be run _after_ these install-time chmod-Rs,
and it explicitly sets:

 OWNER=root        
 GROUP=root         
 CDIRPERM=777         

...then calls "make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP" and
"make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP".

Since xmcdconfig starts out as $SOURCE/libdi_d/config.sh, you'd
think it would be easy to fix.  Alas, those OWNER and GROUP lines
are initially set to =bin, then munged by a sed invocation in
$SOURCE/install.sh to match the $OWNER and $GROUP used everywhere
else in the install process.

In other words, I don't see a clean and simple patch.  So here's an
ugly one.

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i586)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16.xamanek
Locale: LANG=en_GB, LC_CTYPE=en_GB (charmap=ISO-8859-1)

Versions of packages xmcd depends on:
ii  cddb                      2.6-17.1       CD DataBase support tools
ii  lesstif1                  1:0.93.94-12   OSF/Motif 1.2 implementation relea
ii  libc6                     2.3.6-7        GNU C Library: Shared libraries
ii  libncurses5               5.5-1.1        Shared libraries for terminal hand
ii  libx11-6                  6.9.0.dfsg.1-6 X Window System protocol client li
ii  libxt6                    6.9.0.dfsg.1-6 X Toolkit Intrinsics
ii  zlib1g                    1:1.2.3-11     compression library - runtime

-- no debconf information
-- 
JBR
Ankh kak! (Ancient Egyptian blessing)

diff -ru xmcd-2.6.pristine/libdi_d/config.sh xmcd-2.6/libdi_d/config.sh
--- xmcd-2.6.pristine/libdi_d/config.sh 2006-05-10 15:54:17.000000000 +0100
+++ xmcd-2.6/libdi_d/config.sh  2006-05-10 18:53:26.000000000 +0100
@@ -46,9 +46,10 @@
 SCRDIR=$XMCDLIB/scripts
 SITES=$CFGDIR/sites
 TBLDIR=$XMCDLIB/tbl
-OWNER=bin
-GROUP=bin
-CDIRPERM=777
+# permissions variables bypassed:
+# OWNER=bin
+# GROUP=bin
+# CDIRPERM=777
 DFLT_CGIPATH='/~cddb/cddb.cgi'
 CDDBCATS="rock jazz blues newage classical reggae folk country soundtrack misc 
data"
 BROWSERS="mozilla netscape Mosaic"
@@ -1352,11 +1353,11 @@
        then
                for i in $CDDBCATS
                do
-                       make_dir $CDDBDIR/$i $CDIRPERM $OWNER $GROUP
+                       make_dir $CDDBDIR/$i 03775 root audio
                done
                for i in $CDDBCATS
                do
-                       make_dir $DISCOGDIR/$i $CDIRPERM $OWNER $GROUP
+                       make_dir $DISCOGDIR/$i 03775 root audio
                done
                if [ -x $XMCDLIB/scripts/genidx ]
                then

Reply via email to