Package: ntop Version: 3:3.3-11+b2 Severity: normal Tags: patch, security
/var/log/access.log is writeable by everyone. The following would fix that: --- postinst 2008-08-06 17:55:17.000000000 +0200 +++ postinst.new 2010-02-06 14:07:59.000000000 +0100 @@ -35,14 +35,17 @@ adduser --system --group --home /var/lib/ntop $USER fi - # make status dir owned by user if grep -q ^$USER: /etc/passwd; then + # make status dir owned by user chown -Rf $USER /var/lib/ntop - chown -Rf $USER /var/log/ntop + # make log dir owned by user and group + chown -Rf $USER: /var/log/ntop fi fi -chmod o-rx /var/lib/ntop +chmod o= /var/lib/ntop +# content of log dir inherits group permission +chmod g+s,o= /var/log/ntop echo USER=\"$USER\" > $INITCFG echo INTERFACES=\"$INTERFACES\" >> $INITCFG -- System Information: Debian Release: 5.0.4 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.26-2-686 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages ntop depends on: ii adduser 3.110 add and remove users and groups ii debconf [debconf-2. 1.5.24 Debian configuration management sy ii libc6 2.7-18lenny2 GNU C Library: Shared libraries ii libcairo2 1.6.4-7 The Cairo 2D vector graphics libra ii libfontconfig1 2.6.0-3 generic font configuration library ii libfreetype6 2.3.7-2+lenny1 FreeType 2 font engine, shared lib ii libgdbm3 1.8.3-3 GNU dbm database routines (runtime ii libglib2.0-0 2.16.6-3 The GLib library of C routines ii libpango1.0-0 1.20.5-5 Layout and rendering of internatio ii libpcap0.8 0.9.8-5 system interface for user-level pa ii libpixman-1-0 0.10.0-2 pixel-manipulation library for X a ii libpng12-0 1.2.27-2+lenny2 PNG library - runtime ii librrd4 1.3.1-4 Time-series data storage and displ ii libssl0.9.8 0.9.8g-15+lenny6 SSL shared libraries ii libx11-6 2:1.1.5-2 X11 client-side library ii libxcb-render-util0 0.2.1+git1-1 utility libraries for X C Binding ii libxcb-render0 1.1-1.2 X C Binding, render extension ii libxcb1 1.1-1.2 X C Binding ii libxml2 2.6.32.dfsg-5+lenny1 GNOME XML library ii libxrender1 1:0.9.4-2 X Rendering Extension client libra ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime ntop recommends no packages. Versions of packages ntop suggests: ii graphviz 2.20.2-3 rich set of graph drawing tools ii gsfonts 1:8.11+urwcyr1.0.7~pre44-3 Fonts for the Ghostscript interpre -- debconf information: * ntop/interfaces: eth0 * ntop/user: ntop -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org