Your message dated Tue, 15 May 2007 21:54:39 +0200
with message-id <[EMAIL PROTECTED]>
and subject line Woody is long gone
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sympa
Version: 3.3.3-3
Severity: serious
Tags: woody, security, patch
1) INSTALLATION BUG:
Summary: bug#167948 prevents installation with postgres and the fix
was never back-ported to woody. Version 3.3.3-3 remains uninstallable
with postgres on woody.
See also:
* Bug#167948 (and 170721)
* http://lists.debian.org/debian-isp/2003/debian-isp-200306/msg00018.html
2) SECURITY ISSUE:
Sympa 3.3.3-3 creates a postgres user with unecessarily generous granting
of priviledge. Such a suite of priviledges is, IMHO, not necessary and
only serves as a potential security risk. This too appears to have been
addressed for sarge in the closing of Bug#167948 but never back-ported to
woody.
Suggested fix for both these issues (crufty patch to install-pg-db) is
appended for consideration.
Note that my suggested fix does not address the situation where the
postgres user has been created with excessive priviledges and arguably
should have some of these removed.
Regards,
Neale.
--- install-pg-db-dist Mon Nov 11 22:42:28 2002
+++ install-pg-db Sat Jun 7 11:52:02 2003
@@ -52,12 +52,18 @@
$dbh->do("DELETE FROM pg_shadow WHERE usename='sympa'");
# Get a sysid
-my $usesysid = $dbh->do("SELECT MAX(usesysid) + 1 FROM pg_shadow");
+# This is badly broken...
+#my $usesysid = $dbh->do("SELECT MAX(usesysid) + 1 FROM pg_shadow");
+# This is the minimal fix...
+#my $usesysid = @{$dbh->selectcol_arrayref("SELECT MAX(usesysid) + 1 FROM
pg_shadow")}[0];
+
+# IMHO This is probably a more correct fix (see bug#167948)...
+#$dbh->do("INSERT INTO pg_shadow".
+# "(usename, usesysid, usecreatedb, usetrace, usesuper, usecatupd,
passwd)".
+# "VALUES".
+# "('sympa', $usesysid, 't', 't', 't', 't', '$userpass')");
+$dbh->do("create user sympa with password '$userpass' nocreatedb
nocreateuser");
-$dbh->do("INSERT INTO pg_shadow".
- "(usename, usesysid, usecreatedb, usetrace, usesuper, usecatupd,
passwd)".
- "VALUES".
- "('sympa', $usesysid, 't', 't', 't', 't', '$userpass')");
$dbh->disconnect();
@@ -90,6 +96,9 @@
")")};
eval {$dbh->("CREATE INDEX subscriber_idx ON subscriber_table
(user_subscriber,list_subscriber)")};
+
+eval {$dbh->do("GRANT ALL ON user_table TO sympa")};
+eval {$dbh->do("GRANT ALL ON subscriber_table TO sympa")};
$dbh->disconnect();
--- End Message ---
--- Begin Message ---
Hello,
there is no reason to work on this bug anymore.
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
--- End Message ---
