Package: scanlogd Severity: important Version: 2.2.7-0.1 X-Debbugs-Cc: so...@openwall.com
----- Weitergeleitete Nachricht von Solar Designer <so...@openwall.com> ----- Datum: Thu, 4 Mar 2021 14:25:23 +0100 Von: Solar Designer <so...@openwall.com> Betreff: Re: Debian scanlogd An: Mike Gabriel <mike.gabr...@das-netzwerkteam.de> Cc: sunwea...@debian.org Hi Mike, On Sat, Feb 27, 2021 at 02:08:21PM +0100, Solar Designer wrote:
Unfortunately, there's still a major issue: As the comment in params.h says, "The directory and its parent directories must not be writable by anyone but root." However, you set the directory to /run/scanlogd/empty and then do: # the rundir is used for chroot'ing scanlogd into before # starting with portscan detections umask 022 if [ ! -d $RDIR/empty ]; then mkdir -p $RDIR/empty chown -R scanlogd:nogroup $RDIR fi The "chown" breaks scanlogd's security hardening, and must be removed.
If you're not going to fix this now, then let's create a Debian bug for it, so that it's not forgotten. Will you, please? Alexander ----- Ende der weitergeleiteten Nachricht ----- The propose patch for this is: ``` [sunweaver@sunobo scanlogd (master)]$ git diff diff --git a/debian/scanlogd.init b/debian/scanlogd.init index 1095d97..90c9d8e 100644 --- a/debian/scanlogd.init +++ b/debian/scanlogd.init @@ -33,7 +33,8 @@ set -e umask 022 if [ ! -d $RDIR/empty ]; then mkdir -p $RDIR/empty - chown -R scanlogd:nogroup $RDIR + chown scanlogd:nogroup $RDIR + chown root:root $RDIR/empty fi case "$1" in ``` @Alexander: you ok with this change? It should be sufficient, shouldn't it? Mike -- mike gabriel aka sunweaver (Debian Developer) mobile: +49 (1520) 1976 148 landline: +49 (4351) 486 14 27 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: sunwea...@debian.org, http://sunweavers.net
pgphTHuTiGcND.pgp
Description: Digitale PGP-Signatur