https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277470
Bug ID: 277470
Summary: Security Vulnerability: etcupdate incorrectly sets
permissions for
/var/db/etcupdate/conflicts/etc/master.passwd
Product: Base System
Version: 13.3-RELEASE
Hardware: Any
OS: Any
Status: New
Severity: Affects Only Me
Priority: ---
Component: misc
Assignee: [email protected]
Reporter: [email protected]
I've encountered an issue while upgrading systems from 13.2 to 13.3.
Upon executing the upgrade process using the following commands:
cd /usr/src
make buildworld
make buildkernel
make installkernel
etcupdate -p
make installworld
etcupdate
I noticed that during the final step (etcupdate), conflicts were detected in
the files /etc/master.passwd and /etc/group. Consequently, I utilized
`etcupdate resolve` to rectify these conflicts.
Before resolving the conflicts, I checked the file
/var/db/etcupdate/conflicts/master.passwd and found that it had insecure
permissions:
ls -la /var/db/etcupdate/conflicts/etc/master.passwd
-rw-r--r-- 1 root wheel 5690 Feb 28 00:05
/var/db/etcupdate/conflicts/etc/master.passwd
The file master.passwd contains encrypted root and user passwords, thereby
presenting a significant security risk due to its unrestricted read access.
Your attention to this matter would be greatly appreciated, and I remain
available to provide any additional information or assistance required for
troubleshooting.
--
You are receiving this mail because:
You are the assignee for the bug.
