Package: jwchat Version: 1.0beta3-3 Severity: important Tags: security The postinst of jwchat has some strange ideas about file permission.
1) It assigns /etc/jwchat/config.js to www-data:www-data. The file is to be considered static configuration. I see no reason for why www-data should be able to modify it. Note that the file mode is 700. On changing the owner to a sane value such as root additional read permission must be granted. This should not pose a problem, because the file does not contain confidential information and is exported via http anyway. See also: http://bugs.debian.org/396255 2) It assigns /usr/share/jwchat/www to nobody:nogroup recursively. I see no reason for why nobody should be able to modify this data. The bug is also present in sid 1.0+dfsg-1. Helmut -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org