Package: maradns
Version: 1.3.07.08-1
Severity: important
Tags: security
Hi,
I noticed that maradns does not properly update it's configuration to
run as the user maradns. This results in the default configuration
remaining active, which is running as uid 65534 and gid 99. The former
should be the user nobody on all Debian systems AFAIK, but I think the
latter is usually not a valid user.
Running maradns with these credentials consitutes a security problem,
however, I do not think this is directly exploitable. Hence, I'm marking
this as important.
There is code in the postinst script to take care of this. The code is
supposed to change the uid/gid config directives to the uid and gid of
the maradns user and group, also created by the postinst script.
However, this only happens when postinst is called with the install
argument, which never happens according to the Policy Manual [1]. The
install argument is only passed to the preinst script, AFAICS.
I can reproduce this problem on two seperate systems, one running sid
and one running lenny. I hope a fixed version can still be included in
lenny.
Gr.
Matthijs
[1]: http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.27-rc2-wl-35635-gf8895ad (PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages maradns depends on:
ii adduser 3.110 add and remove users and groups
ii libc6 2.7-13 GNU C Library: Shared libraries
maradns recommends no packages.
maradns suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
