Package: gnunet-server
Version: 0.9.3-2
The gnunet-helper-fs-publish binary is provided set-UID root by
the package, which (as per upstream, see below) is unnecessary.
Apart from raising security concerns, it also precludes
gnunet-publish(1) from running when GNUnet itself runs under an
“ordinary” user (as opposed to a dedicated, “system” one.)
My reading of debian/gnunet-server.postinst (as of b3ea4f34,
quoted below) is that the issue is likely to be present in the
yet unreleased 0.9.3-4 version of the package.
--cut: gnunet/debian/gnunet-server.postinst --
81 for file in /usr/bin/gnunet-helper-exit \
82 /usr/bin/gnunet-helper-fs-publish \
83 /usr/bin/gnunet-helper-nat-client \
84 /usr/bin/gnunet-helper-nat-server \
85 /usr/bin/gnunet-helper-transport-wlan \
86 /usr/bin/gnunet-helper-vpn
87 do
88 # only do something when no setting exists
89 if ! dpkg-statoverride --list $file >/dev/null
2>&1 && [ -e $file ]
90 then
91 chown root:${_GROUPNAME} $file
92 chmod 4754 $file
93 fi
94 done
--cut: gnunet/debian/gnunet-server.postinst --
Could this please be rectified? TIA.
>>>>> Christian Grothoff <[email protected]> writes:
>>>>> On 10/21/2012 08:42 AM, Ivan Shmakov wrote:
[…]
>> • A number of binaries (as per the gnunet-server 0.9.3-2 Debian
>> package) come set-UID root:
>> gnunet-helper-dns
>> gnunet-helper-exit
>> gnunet-helper-fs-publish
>> gnunet-helper-nat-client
>> gnunet-helper-nat-server
>> gnunet-helper-transport-wlan
>> gnunet-helper-vpn
> Ugh, gnunet-helper-fs-publish should NOT be SUID! That's a serious
> bug in the Debian package, please report it to Debian!
[…]
--
FSF associate member #7257
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
