*** This bug is a security vulnerability ***
Public security bug reported:
Binary package hint: dkms
DKMS appears to be using nobody uid and nogroup gid for file ownership.
nobody and nogroup exist so that programs, such as NFS daemond, may run
with this uid/gid, so they can only access files with world (other)
read/write privileges. If files in the filesystem are owned by this
uid/gid, it means that programs using nobody/nogroup are making an
incorrect assumption about the filesystem, and could mess around with
the files with the incorrect ownerships. (The fact that nobody/nogroup
are also used for overflow uid/gid is unfortunate, and one more good
reason why files should not be owned by nobody/nogroup.)
Please create a user and group for dkms, so that files are not
accidentally available to programs that have tried to give away their
privileges. (Or, perhaps the 'bin', 'sys', 'adm', or 'src' groups that
already exist in my /etc/group file could have some sort of meaning! :)
** Affects: dkms (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
dkms should not be using the nobody/nogroup uid/gid
https://bugs.launchpad.net/bugs/523138
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
