Hey Simon, On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <si...@turnagile.com> wrote:
> Package: freeradius > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > first of all, I already shared the following information with the debian > security team and they asked me to file this as a bug report: "I'm not why > the > Debian packaging diverges, can you please file a bug against freeradius to > have > the discussion with the maintainers in public?", Moritz Muehlenhoff from > debian > security team. > > Issue: > It seems, that sensitive information (for example stored in > /etc/freeradius/users) can be read by every system user ("others"). After > asking the freeradius team I was told, that the /etc/freeradius directory > has > permissions 750 on their install (see Makefile). On my standard > ubuntu/debian > package installation there is another/divergent permission set, which > allows > every system user to access the freeradius directory (and therefore also > some > files like /etc/freeradius/users which can contain sensitive information). > I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory: root@a584ef009927:/# ls -ldR /etc/freeradius drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius The permissions are set up by https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23 Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using. Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please? > > I assume the debian freeradius package should be adapted, so that access > to the > whole /etc/freeradius directory is restricted, as intended by the > freeradius > team. > > Best regards > Simon Boldinger > > > > -- System Information: > Debian Release: stretch/sid > APT prefers artful-updates > APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, > 'artful'), (100, 'artful-backports') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages freeradius depends on: > pn freeradius-common <none> > pn freeradius-config <none> > ii libc6 2.26-0ubuntu2.1 > pn libct4 <none> > pn libfreeradius3 <none> > ii libgdbm3 1.8.3-14 > ii libpam0g 1.1.8-3.2ubuntu3 > ii libperl5.26 5.26.0-8ubuntu1 > ii libpython2.7 2.7.14-2ubuntu2 > ii libreadline7 7.0-0ubuntu2 > ii libsqlite3-0 3.19.3-3 > ii libssl1.0.0 1.0.2g-1ubuntu13.3 > ii libtalloc2 2.1.9-2ubuntu1 > ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1 > ii lsb-base 9.20160110ubuntu5 > > Versions of packages freeradius recommends: > pn freeradius-utils <none> > > Versions of packages freeradius suggests: > pn freeradius-krb5 <none> > pn freeradius-ldap <none> > pn freeradius-mysql <none> > pn freeradius-postgresql <none> > pn snmp <none> > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@lists.alioth.debian.org > https://lists.alioth.debian.org/mailman/listinfo/pkg- > freeradius-maintainers > -- Best regards, Michael