On Mon, Feb 26, 2018 at 8:17 PM, <si...@turnagile.com> wrote: > Hi Michael, > > > > thank's for your response. The permission setting you described is exactly > the setting I found on my host(s): > > root@intra:/etc/freeradius# ls -ldR /etc/freeradius/ > > drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/ > > > > _*But*_ in combination with the /etc/freeradius/users permission setting: > > root@intra:/etc/freeradius# ls -ldR /etc/freeradius/users > > -rw-r--r-- 1 root root 6524 Jul 26 2017 /etc/freeradius/users > > > > An "other" user can simply read the (maybe sensitive) content via a simple > "cat /etc/freeradius/users". > > > > So, from my point of view the /etc/freeradius permissions should for > example be set to 750 or the files within this directory (especially the > „users“ file) need more restrictive permissions. > > > > Sorry for not sending the bugreport from the affected host, but in this > case I think it is not necessary anymore? >
It would still be good to know the version numbers involved, as permissions have changed repeatedly over time. When doing a fresh installation, or upgrading from < 3.0.12+dfsg-2, the postinst script will change the permission of all files underneath /etc/freeradius to 640, so either you must be using a very old version, or something else went wrong. I’m also curious because recent package versions use /etc/freeradius/3.0, not /etc/freeradius. In any case, the packaging used mode 2751 for /etc/freeradius before I became the maintainer, so I never questioned it. Especially seeing that upstream is in agreement, I’m all for using a stricter permission. I’ll change the package to use 2750 going forward. jmm, is there any documentation regarding best practices for /etc directory modes in Debian that I could refer to in my commit message? > > > Greets > > Simon > > > > > > *Von:* mich...@i3wm.org [mailto:mich...@i3wm.org] *Im Auftrag von *Michael > Stapelberg > *Gesendet:* Sonntag, 25. Februar 2018 16:13 > *An:* Simon Boldinger <si...@turnagile.com>; 890...@bugs.debian.org > *Betreff:* Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File > permissions allow access to sensitive information by "others" > > > > Hey Simon, > > > > On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <si...@turnagile.com> > wrote: > > Package: freeradius > Severity: grave > Tags: security > Justification: user security hole > > Dear Maintainer, > > first of all, I already shared the following information with the debian > security team and they asked me to file this as a bug report: "I'm not why > the > Debian packaging diverges, can you please file a bug against freeradius to > have > the discussion with the maintainers in public?", Moritz Muehlenhoff from > debian > security team. > > Issue: > It seems, that sensitive information (for example stored in > /etc/freeradius/users) can be read by every system user ("others"). After > asking the freeradius team I was told, that the /etc/freeradius directory > has > permissions 750 on their install (see Makefile). On my standard > ubuntu/debian > package installation there is another/divergent permission set, which > allows > every system user to access the freeradius directory (and therefore also > some > files like /etc/freeradius/users which can contain sensitive information). > > > > I cannot reproduce this. After “apt install freeradius” on debian sid, I > end up with the following directory: > > > > root@a584ef009927:/# ls -ldR /etc/freeradius > > drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius > > > > The permissions are set up by https://anonscm.debian.org/ > cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id= > f205eab8474e33183d936f4f60006a2e070e8335#n23 > > > > Unfortunately, your bug report was not filed from the machine on which you > installed freeradius, so I can’t see which version of the package you’re > using. > > > > Can you provide more details on your installation, along with the result > of ls -ldR /etc/freeradius please? > > > > > I assume the debian freeradius package should be adapted, so that access > to the > whole /etc/freeradius directory is restricted, as intended by the > freeradius > team. > > Best regards > Simon Boldinger > > > > -- System Information: > Debian Release: stretch/sid > APT prefers artful-updates > APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, > 'artful'), (100, 'artful-backports') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages freeradius depends on: > pn freeradius-common <none> > pn freeradius-config <none> > ii libc6 2.26-0ubuntu2.1 > pn libct4 <none> > pn libfreeradius3 <none> > ii libgdbm3 1.8.3-14 > ii libpam0g 1.1.8-3.2ubuntu3 > ii libperl5.26 5.26.0-8ubuntu1 > ii libpython2.7 2.7.14-2ubuntu2 > ii libreadline7 7.0-0ubuntu2 > ii libsqlite3-0 3.19.3-3 > ii libssl1.0.0 1.0.2g-1ubuntu13.3 > ii libtalloc2 2.1.9-2ubuntu1 > ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1 > ii lsb-base 9.20160110ubuntu5 > > Versions of packages freeradius recommends: > pn freeradius-utils <none> > > Versions of packages freeradius suggests: > pn freeradius-krb5 <none> > pn freeradius-ldap <none> > pn freeradius-mysql <none> > pn freeradius-postgresql <none> > pn snmp <none> > > _______________________________________________ > Pkg-freeradius-maintainers mailing list > pkg-freeradius-maintain...@lists.alioth.debian.org > https://lists.alioth.debian.org/mailman/listinfo/pkg- > freeradius-maintainers > > > > > > -- > > Best regards, > Michael > -- Best regards, Michael