*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: origami
Origami is using the 'nogroup' group for its group file ownership;
instead, a special group must be created in the same fashion as the
'origami' user.
'nogroup' (and 'nobody') exist so that programs, such as NFS daemons,
can run with those uids, and reasonably expect to access only files in
the filesystem with world (other) read/write access. If there are files
with group owner 'nogroup' in the filesystem, then the point of the
'nogroup' group is broken. (The use of nobody/nogroup for overflow
uid/gid is unfortunate, and yet another compounding reason why origami
shouldn't be using 'nogroup' for file ownership.)
Because the files created by origami do need a group owner of some sort,
I recommend creating a new group when creating a new user. That way, no
other processes on the system get unexpected privileges to the
fold...@home files, and fold...@home does not get unexpected privileges
to other files that might also be making the same mistake. :)
Thanks!
** Affects: origami (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
origami should not use 'nogroup' for group file ownership
https://bugs.launchpad.net/bugs/523134
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
