Your message dated Sun, 24 Jan 2010 09:08:58 -0800
with message-id <[email protected]>
and subject line ltspfs: insufficient permissions on files.
has caused the Debian Bug report #565962,
regarding ltspfs: insufficient permissions on files.
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
565962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=565962
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: ltspfs
Version: 0.5.3-3
Severity: important
Tags: security, patch
all versions of ltspfs prior to 0.5.14 may allow other users who are in the
same group as the user's primary group to read files mounted using ltspfs.
this is fixed upstream with the following patch:
http://bazaar.launchpad.net/~ltsp-upstream/ltspfs/ltspfs-trunk/revision/120/src/ltspfs.c
=== modified file 'src/ltspfs.c'
--- src/ltspfs.c 2009-03-06 21:28:04 +0000
+++ src/ltspfs.c 2010-01-12 21:05:47 +0000
@@ -343,6 +343,13 @@
stbuf->st_uid = fc->uid;
stbuf->st_gid = fc->gid;
+ /*
+ * Also, in order to make sure that all files are umask 700, we'll
+ * manipulate the st_mode at this point.
+ */
+
+ stbuf->st_mode = stbuf->st_mode & (S_IFDIR | S_IFREG | 0700);
+
if (!xdr_u_longlong_t(&in, &stbuf->st_rdev))
return -EACCES;
if (!xdr_longlong_t(&in, &stbuf->st_size))
i haven't yet tested it, but it or a modified version will hopefully work with
0.5.3, as well.
live well,
vagrant
--- End Message ---
--- Begin Message ---
Version: 0.5.14-1
this bug was fixed in 0.5.14-1. the versions currently in squeeze (0.5.13-1)
and lenny (0.5.3-3) are still affected, though.
live well,
vagrant
--- End Message ---
