Package: apt-cacher
Version: 1.5.3
Severity: normal
Tags: security

Apt-cacher daemon process have additional root group membership.

# cat /proc/$(cat /var/run/apt-cacher.pid)/status
Name:   apt-cacher
...
Uid:    1003    1003    1003    1003
Gid:    1003    1003    1003    1003
FDSize: 64
Groups: 0
       ^^^

With root group access abused (by some other/future bug) apt-cacher
process for example can read passwords from /dev/input/event* ...

Simple fix:
According to `man perlvar' (/EGID) setup_ownership subroutine should do
$) = "$gid $gid";

Regards,
Kupson

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.20-2-xen-amd64
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages apt-cacher depends on:
ii  bzip2                       1.0.3-6      high-quality block-sorting file co
ii  libwww-perl                 5.805-1      WWW client/server library for Perl
ii  perl                        5.8.8-7etch1 Larry Wall's Practical Extraction 

apt-cacher recommends no packages.

-- no debconf information



-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to