Your message dated Sun, 3 Feb 2019 22:33:27 +0100 with message-id <[email protected]> and subject line Re: Bug#249342: dupload: could check local file for permissions has caused the Debian Bug report #249342, regarding dupload: could check local file for permissions to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 249342: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=249342 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: dupload Version: 2.6.3 Severity: wishlist quoting the manpage: -c --configfile Read the file ./dupload.conf (if it exists). Warning: this is a security risk if you are in a directory where other people can write. That's why it is not the default (unlike the previous versions). It would be trivial, and nice (!), to add a check: - does ./dupload.conf exist - does ./dupload.conf have permissions no more than 0644 - is ./dupload.conf owned by the current user? This would allow for automatic inclusion... -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (600, 'testing'), (98, 'unstable') Architecture: i386 (i686) Kernel: Linux 2.6.3-1-k7-smp Locale: LANG=en_GB.ISO-8859-15, LC_CTYPE=de_DE.ISO-8859-15 Versions of packages dupload depends on: ii libnet-perl 1:1.18-2 Implementation of Internet protoco ii perl 5.8.3-3 Larry Wall's Practical Extraction ii perl-modules [libnet-perl] 5.8.3-3 Core Perl modules. -- no debconf information -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[email protected]> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---Hi! On Sun, 2004-05-16 at 22:06:38 +0200, martin f krafft wrote: > Package: dupload > Version: 2.6.3 > Severity: wishlist > quoting the manpage: > > -c --configfile > Read the file ./dupload.conf (if it exists). Warning: > this is a security risk if you are in a directory > where other people can write. That's why it is not > the default (unlike the previous versions). > > It would be trivial, and nice (!), to add a check: > > - does ./dupload.conf exist > - does ./dupload.conf have permissions no more than 0644 > - is ./dupload.conf owned by the current user? > > This would allow for automatic inclusion... Automatically loading such files is a security disaster waiting to happen, as all such checks are just TOCTOU security holes. I think this behavior was a bad idea, and my intention instead is to phase it out. For now it emits a warning but after buster is released I'll make it a hard error. So given the above, I'm just going to close this report. Thanks, Guillem
--- End Message ---
