Bug#568641: ntop: access.log is writeable by everyone

Sat, 06 Feb 2010 05:16:44 -0800 

Package: ntop
Version: 3:3.3-11+b2
Severity: normal
Tags: patch, security


/var/log/access.log is writeable by everyone. The following would fix that:


--- postinst    2008-08-06 17:55:17.000000000 +0200
+++ postinst.new        2010-02-06 14:07:59.000000000 +0100
@@ -35,14 +35,17 @@
        adduser --system --group --home /var/lib/ntop $USER
     fi

-    # make status dir owned by user
     if grep -q ^$USER: /etc/passwd; then
+        # make status dir owned by user
        chown -Rf $USER /var/lib/ntop
-       chown -Rf $USER /var/log/ntop
+        # make log dir owned by user and group
+       chown -Rf $USER: /var/log/ntop
     fi
 fi

-chmod o-rx /var/lib/ntop
+chmod o= /var/lib/ntop
+# content of log dir inherits group permission
+chmod g+s,o= /var/log/ntop

 echo USER=\"$USER\" > $INITCFG
 echo INTERFACES=\"$INTERFACES\" >> $INITCFG

-- System Information:
Debian Release: 5.0.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages ntop depends on:
ii  adduser             3.110                add and remove users and groups
ii  debconf [debconf-2. 1.5.24               Debian configuration management sy
ii  libc6               2.7-18lenny2         GNU C Library: Shared libraries
ii  libcairo2           1.6.4-7              The Cairo 2D vector graphics libra
ii  libfontconfig1      2.6.0-3              generic font configuration library
ii  libfreetype6        2.3.7-2+lenny1       FreeType 2 font engine, shared lib
ii  libgdbm3            1.8.3-3              GNU dbm database routines (runtime
ii  libglib2.0-0        2.16.6-3             The GLib library of C routines
ii  libpango1.0-0       1.20.5-5             Layout and rendering of internatio
ii  libpcap0.8          0.9.8-5              system interface for user-level pa
ii  libpixman-1-0       0.10.0-2             pixel-manipulation library for X a
ii  libpng12-0          1.2.27-2+lenny2      PNG library - runtime
ii  librrd4             1.3.1-4              Time-series data storage and displ
ii  libssl0.9.8         0.9.8g-15+lenny6     SSL shared libraries
ii  libx11-6            2:1.1.5-2            X11 client-side library
ii  libxcb-render-util0 0.2.1+git1-1         utility libraries for X C Binding 
ii  libxcb-render0      1.1-1.2              X C Binding, render extension
ii  libxcb1             1.1-1.2              X C Binding
ii  libxml2             2.6.32.dfsg-5+lenny1 GNOME XML library
ii  libxrender1         1:0.9.4-2            X Rendering Extension client libra
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

ntop recommends no packages.

Versions of packages ntop suggests:
ii  graphviz      2.20.2-3                   rich set of graph drawing tools
ii  gsfonts       1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre

-- debconf information:
* ntop/interfaces: eth0
* ntop/user: ntop



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to