Your message dated Tue, 24 Sep 2024 04:18:53 +0000
with message-id <[email protected]>
and subject line Bug#1082430: fixed in krb5-wallet 1.6
has caused the Debian Bug report #1082430,
regarding krb5-kdc, krb5-keytab-backend: Permission mismatch for /etc/krb5kdc/
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1082430: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082430
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: krb5-kdc, krb5-keytab-backend
Severity: important
X-Debbugs-Cc: Helmut Grohne <[email protected]>
Hi!
While analyzing the archive for mismatched file metadata (as part of
the preparation to add support into dpkg), thanks to Helmut gathering
the data from the archive. I noticed that these two packages have a
mismatch in the permissions for the /etc/krb5kdc/ directory, where
there could be security implications, if the contents are expected to
contain secrets that only root is supposed to read, as the permissions
of the directory are decided by the first package being unpacked, and
subsequent directory unpacks get ignored (including any change in
permissions).
$ dpkg-deb -c krb5-kdc_1.21.3-3_amd64.deb | grep etc/krb5kdc
drwx------ root/root 0 2024-07-05 19:25 ./etc/krb5kdc/
$ dpkg-deb -c krb5-keytab-backend_1.5-1.1_all.deb | grep etc/krb5kdc
drwxr-xr-x root/root 0 2024-08-02 01:29 ./etc/krb5kdc/
-rw-r--r-- root/root 287 2024-06-20 19:20 ./etc/krb5kdc/allow-extract
I'm not sure which one is correct. Assigned to both for awareness and
coordination purposes, feel free to reassign to whichever might need
to adapt the permissions. If this has security implications then it
might be worth to set the security tag, and rise the severity and
perhaps prepare a change for a stable update too? If there are no
security implications, it would still be good to make the permissions
consistent, otherwise dpkg would start warning or erroring out on
mismatched metadata once the support gets in and is enabled.
Thanks,
Guillem
--- End Message ---
--- Begin Message ---
Source: krb5-wallet
Source-Version: 1.6
Done: Bill MacAllister <[email protected]>
We believe that the bug you reported is fixed in the latest version of
krb5-wallet, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Bill MacAllister <[email protected]> (supplier of updated krb5-wallet package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Mon, 23 Sep 2024 20:50:47 -0700
Source: krb5-wallet
Architecture: source
Version: 1.6
Distribution: unstable
Urgency: medium
Maintainer: Bill MacAllister <[email protected]>
Changed-By: Bill MacAllister <[email protected]>
Closes: 1082430
Changes:
krb5-wallet (1.6) unstable; urgency=medium
.
[ Bill MacAllister ]
* Convert source to native Debian package.
* Update ACL ldap-attr to accept an arbitrary LDAP filter and improve
the performance of the ACL check by using a single LDAP search for the
check.
.
[ Russ Allbery ]
* Fix the permissions on /etc/krb5kdc. (Closes: #1082430)
* Add lintian override for the switch from a non-native package to a
native package.
Checksums-Sha1:
46b96883587627a7c9480dc133171c64eebea040 2090 krb5-wallet_1.6.dsc
7a69b07a95e47d22ed00b3b8329626459b9b655a 364192 krb5-wallet_1.6.tar.xz
Checksums-Sha256:
7cb66b8ba70a44a60e82ad58dd94437372cc5e76420a472d0fced7ec6ed6a89d 2090
krb5-wallet_1.6.dsc
08c40bab73df5a25d24391865e9cb6414687e58660f673ba1feb6193f4551aee 364192
krb5-wallet_1.6.tar.xz
Files:
29190a68b1955dbf33552cc1ee0db335 2090 net optional krb5-wallet_1.6.dsc
417a0acce3e9936e64f51387a48e5d27 364192 net optional krb5-wallet_1.6.tar.xz
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEE1zk0tJZ0z1zNmsJ4fYAxXFc23nUFAmbyOEEACgkQfYAxXFc2
3nU0NggAig7EuwU3SAQBVRnNHVKA/k1HzxWqEbtABhlcJQal09uFvhE9HFaT2qqg
j+wWyeH98DtsF3TRFIXOXjBFcYz39firoGJ9IZIucQSqnGePyerDgnfpVVC+fL2O
fsVpkgEw7w/BcqeHVgDpuyf5CPDE6/hB4sQFjG1ehX2GVkdYhP3Vwwv9aVM6R/BB
uRQ2+Ld24qqeffxHhuuZAQjA/xNVuy3NCpi2hvY9M30k3LIvif35cfRmpoGT886L
GoIO1BlXa7MC3dJo/iUFFcwwYjSNiXKkbuNFTQzDClnSWnTH9hR8FpXXy5jhUTUP
zCUY4sRM4mhrmic/nidsJzhbp/XiHg==
=K9Dk
-----END PGP SIGNATURE-----
pgpIHlHjrHTBd.pgp
Description: PGP signature
--- End Message ---
