Your message dated Thu, 05 Apr 2018 17:20:05 +0000 with message-id <[email protected]> and subject line Bug#299007: fixed in debian-policy 4.1.4.0 has caused the Debian Bug report #299007, regarding Transitioning perms of /usr/local to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 299007: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=299007 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: base-files Version: 3.0.2 Severity: critical Tags: patch security Justification: root security hole I recently noticed that /usr/local and /usr/local/{bin,sbin} are group-writable and owned by root:staff. This is wrong: those directories are in the default PATH for root. They (and files within) should be root-owned: group staff users or become-any-user-but-root bugs should not be able to trojan and thus get root. The Debian Policy Manual [1] says: ... /usr/local take precedence over the equivalents in /usr. ... should have permissions 2775 and be owned by root.staff. but it [2] also says: ... make sure that [it] is secure ... Files should be owned by root.root ... mode 644 or 755. Directories should be mode 755 or 2775 ... owned by the group that needs write access to it. The Debian Reference [3] and Securing Debian Manual [4], [5] say [group] staff is ... for helpdesk types or junior sysadmins ... to do things in /usr/local and to create directories in /home. [group] staff: Allows users to add local modifications to the system (/usr/local, /home) without needing root privileges. The 'staff' group are usually help-desk/junior sysadmins, allowing them to work in /usr/local and create directories in /home. (This is surely wrong, seems a SysV left-over: you need root privileges to chown user directories in /home or in fact to create users in /etc/passwd.) "Junior sysadmins" should not be able or encouraged to trojan root, even if you trust them with the root password or give them sudo privileges. Become-any-user-but-root and become-any-group-but-root bugs are quite common. When a group of machines share user home directories via NFS exported from somewhere with default root-squash, getting root on one machine gives precisely that on all others of the group. There have been "genuine" such bugs also e.g. in sendmail [6]. This security lapse has been discussed before [7], [8]. The solution is to remove /usr/local things from the default PATH in /root/.profile (i.e. in /usr/share/base-files/dot.profile), leaving a warning comment instead. It would also be good to re-word the confused policy, and to make /usr/local root-owned. (Maybe /usr/local/sbin could then be used again.) Discuss on [email protected], or "reportbug debian-policy"? References: [1] http://www.debian.org/doc/debian-policy/ch-opersys.html#s9.1.2 [2] http://www.debian.org/doc/debian-policy/ch-files.html#s10.9 [3] http://www.debian.org/doc/manuals/reference/ch-tune.en.html#s9.2.3 [4] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.1 [5] http://www.debian.org/doc/manuals/securing-debian-howto/ch11.en.html#s11.1.12.2 [6] http://hackersplayground.org/papers/sendmailholes.txt [7] http://lists.debian.org/debian-doc/2001/08/msg00041.html [8] http://lists.debian.org/debian-user/2003/12/msg02057.html Cheers, Paul Szabo [email protected] http://www.maths.usyd.edu.au/u/psz/ School of Mathematics and Statistics University of Sydney Australia -- System Information Debian Release: 3.0 Architecture: i386 Kernel: Linux pisa.maths.usyd.edu.au 2.4.22-smssvr1.5.3 #1 SMP Wed Jun 23 13:01:39 EST 2004 i686 Locale: LANG=C, LC_CTYPE=C Versions of packages base-files depends on: ii base-passwd 3.4.1 Debian Base System Password/Group ii gawk [awk] 1:3.1.0-3 GNU awk, a pattern scanning and pr ii mawk [awk] 1.3.3-8 a pattern scanning and text proces
--- End Message ---
--- Begin Message ---Source: debian-policy Source-Version: 4.1.4.0 We believe that the bug you reported is fixed in the latest version of debian-policy, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Sean Whitton <[email protected]> (supplier of updated debian-policy package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 05 Apr 2018 09:08:16 -0700 Source: debian-policy Binary: debian-policy Architecture: all source Version: 4.1.4.0 Distribution: unstable Urgency: medium Maintainer: Debian Policy Editors <[email protected]> Changed-By: Sean Whitton <[email protected]> Closes: 299007 515856 742364 881431 886890 888437 889167 889960 892142 Description: debian-policy - Debian Policy Manual and related documents Changes: debian-policy (4.1.4.0) unstable; urgency=medium . [ Sean Whitton ] * Policy: Drop get-orig-source rules target Wording: Helmut Grohne <[email protected]> Seconded: Holger Levsen <[email protected]> Seconded: Niels Thykier <[email protected]> Closes: #515856 * Policy: Update required permissions for /usr/local Wording: Santiago Vila <[email protected]> Seconded: Don Armstrong <[email protected]> Seconded: Ian Jackson <[email protected]> Seconded: Russ Allbery <[email protected]> Closes: #299007 * Policy: Document debian/missing-sources Wording: Sean Whitton <[email protected]> Seconded: Holger Levsen <[email protected]> Seconded: Gunnar Wolf <[email protected]> Closes: #742364 * Policy: Uniqueness of version numbers Wording: Sean Whitton <[email protected]> Seconded: Simon McVittie <[email protected]> Seconded: Holger Levsen <[email protected]> Closes: #881431 * Update recommendations dh_systemd_* -> dh_installsystemd (Closes: #889167). Thanks Chris Lamb for the report. * Fix some typos (Closes: #886890). Thanks Sebastian Rasmussen for the patch. * Fix some errors in shell script snippets caused by the rST conversion script (Closes: #888437). Thanks Yao Wei for the patch. * Fix version of init-system-helpers required for `defaults-disabled` option from 1.5.0 to 1.50. Thanks to GengYu Rao for noting this on the debian-policy list. * Fix indentation of description of the clean target (Closes: #889960). Thanks Ferenc Wágner for the report. . [ Jonathan Nieder ] * Use default-mta instead of exim in dependency example (Closes: #892142). Thanks to Paul Wise for the report. Checksums-Sha1: ef1dc5fd8a3ceb38c8deace04558c671bea95f25 2001 debian-policy_4.1.4.0.dsc a1e805333f756765570c27ff89a4fdd7eaf05363 677108 debian-policy_4.1.4.0.tar.xz 56dcdb6f05815c3456b56e10c519a3db18ee5992 2387292 debian-policy_4.1.4.0_all.deb 56d2b860d72ff9de0ac7ca37e84db816bf8e2d76 12126 debian-policy_4.1.4.0_amd64.buildinfo Checksums-Sha256: 53b8f08ffbf1689ab2e97bb3b1586df0a4d4d8a480b9c4ba1de798b7257bf8fe 2001 debian-policy_4.1.4.0.dsc 023608b73abeb2d75c9dc64ce58761b5da30a7017f6db5f01a573f33e2e3a7c3 677108 debian-policy_4.1.4.0.tar.xz 6e9005245aee6e8c51f8c85a4c035e382e0861415459eae0263b41014818a0d8 2387292 debian-policy_4.1.4.0_all.deb 1818cd12a58b0770e0d9b75561779325b74841e4b2af5727ff7aca9694c8727f 12126 debian-policy_4.1.4.0_amd64.buildinfo Files: a8bb9047202d77c74e5b4bd30a160f4e 2001 doc optional debian-policy_4.1.4.0.dsc 8a80b4e16c6c15e4d1c5dfd645bc2d57 677108 doc optional debian-policy_4.1.4.0.tar.xz 9537b38c53706d8d59f771f720a3f406 2387292 doc optional debian-policy_4.1.4.0_all.deb e2982e5cb7400de55a59cb24e5b1dfb7 12126 doc optional debian-policy_4.1.4.0_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEm5FwB64DDjbk/CSLaVt65L8GYkAFAlrGSuYACgkQaVt65L8G YkCxZA/+Ptlcjykqq2YXiEUw1MLJl37L2hUf8elybjCmDQtyjjYdHGQxw092Af6P R/jT3QTHt07Fd/Ch8PjIM2e3TYtNakhUFX4MG4edmXvCj/teXnv3FL+YFdm1swoG jTwEeuirJCHosTZ7OCsCuWNDMw/a16sy32qTbfilm5NWLHvYYqzvjPyg4w08UEdS hpMhAW9T4k5zyvrOPwmjqFrAAhCpsK55uorTIOnBZ08hTXGEydXpdOtdnzUToFC+ 7L+wVIojR9Iu1/IMkobLKD7fAIlCXpCPy0zI80xaTZTa+NK500rVyjsKqM4E9Pil b7N228E7UCVX0ZD15c4ZRGK/3/vyvmef0faqKRiSttXq6k1MmmNcGNBBRUnxlWK9 MZH6fDmJ0cqgXE+6HkzC8M/x6yNvFYtEiH9klZvNK/Q8cRICu9Uc1uIRj9UfXgU2 /wI8IfHZ9zDUORLPFNMyOozNiPOMjJP9KAtCATzViddPlM/d0HlwX5j/nvLPO97/ YpE6hpWwukv7i8bT5c4WdTCoAYAlaVWcyaf4bA/fUn9LOSx5VClY1leiQLWfXauz BXJcCNLcnNzyprGGQ5YCj4qG5Sfw/8P+S9fW9zj0ErfylX1mZo4kE863L1FlW7Zu IRtIy+lYd9rfGLo6WdfhczHUBUpzCw9A0idQ1rYZZ/Rwju/Ds7g= =TMzb -----END PGP SIGNATURE-----
--- End Message ---
