severity 414644 serious quit On Tue, Mar 13, 2007 at 12:39:08AM +0100, Robert Luberda wrote: > Package: popularity-contest > Version: 1.40 > Severity: important > Tags: security, patch > > Hi, > > The popularity-contest's weekly cron job sets HOME to /tmp before > generating the popularity raport. By doing that it tries to avoid dpkg > failures on unreadable /root/.dpkg.cfg file. > However /tmp is world-writeable, so any user can create /tmp/.dpkg.cfg > and make it unreadable for others thus causing dpkg to generate > "failed to open config file" warning. > > Patch: > - set HOME to e.g. /nonexistent > or > - don't pass the `-p' option to su
Actually this is worse than that, the user can add various options to dpkg in that file that will then be used by dpkg. I am evaluating the following patch (which do the later of your proposals. Cheers, -- Bill. <[EMAIL PROTECTED]> Imagine a large blue swirl here. Index: debian/cron.weekly =================================================================== RCS file: /cvsroot/popcon/popularity-contest/debian/cron.weekly,v retrieving revision 1.18 diff -u -r1.18 cron.weekly --- debian/cron.weekly 7 Oct 2006 14:50:32 -0000 1.18 +++ debian/cron.weekly 13 Mar 2007 21:11:46 -0000 @@ -30,8 +30,7 @@ run_popcon() { - # Set HOME to avoid bug #212013. - HOME=/tmp su -pc "sh -c /usr/sbin/popularity-contest" nobody + su -c "sh -c /usr/sbin/popularity-contest" nobody } do_sendmail() -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]