tag 521411 - security
thanks

Jonathan Wiltshire wrote:
> Package: mrtg
> Version: 2.16.2-3
> Severity: normal
> Tags: security
> 
> During clean install on lenny, debconf asks:
> 
> 'Make /etc/mrtg.cfg owned by and readable only by the MRTG user?'
> 
> But it is ignored and after installation the file is listed like this:
> 
> -rw-r----- 1 root root 53211 2009-03-27 11:14 mrtg.cfg
> 
> Please fix the configuration or, if this is not yet feasible (a la #76417) 
> at least don't mis-lead the user by asking this question.


>From what I see in the postinst file, and to the letter of the question,
the postinst does what it says it does except that the MRTG user is not
'mrtg', but root. mrtg is run under root from crontab hence MRTG user ==
root.

So yes, the question is a little misleading. It should read,

  'Set /etc/mrtg.cfg to be readable only by root user?'


Running mrtg under non-root user can have its own security problems. For
example, config file that is non-readable by www-data, is suddenly
readable. mrtg having its own user is probably not going to happen as
any administrator can already do this and run mrtg under its own user
with about 3 lines to type.

- Adam



-- 
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to