Bug#734869: dash should drop its privileges in setuid context and implement privileged mode support (-p)
Hi On Fri, Jan 17, 2014 at 09:04:37AM +, Gerrit Pape wrote: > On Thu, Jan 16, 2014 at 10:01:22PM +0100, Raphael Hertzog wrote: > > On Fri, 10 Jan 2014, Jonathan Nieder wrote: > > > Agreed, this is an important and good change (both upstream and for > > > Debian). Thanks for reporting. > > > > Adding the "forwarded" tag doesn't bring much in this case as it's clear > > that "upstream" has not acted on this patch submission... > > Well, actually it makes it clear that the request and patch has been > brought to upstream's attention. > > > Who are the upstream maintainers that we should ping? Herbert Xu? > > Herbert Xu is upstream, yes. > > > Do we have anyone in Debian with commit rights to the upstream repo? > > No. Any news on this? Regards, Salvatore
Bug#734869: dash should drop its privileges in setuid context and implement privileged mode support (-p)
On Thu, Jan 16, 2014 at 10:01:22PM +0100, Raphael Hertzog wrote: > On Fri, 10 Jan 2014, Jonathan Nieder wrote: > > Agreed, this is an important and good change (both upstream and for > > Debian). Thanks for reporting. > > Adding the "forwarded" tag doesn't bring much in this case as it's clear > that "upstream" has not acted on this patch submission... Well, actually it makes it clear that the request and patch has been brought to upstream's attention. > Who are the upstream maintainers that we should ping? Herbert Xu? Herbert Xu is upstream, yes. > Do we have anyone in Debian with commit rights to the upstream repo? No. Regards, Gerrit. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#734869: dash should drop its privileges in setuid context and implement privileged mode support (-p)
Hi Jonathan, On Fri, 10 Jan 2014, Jonathan Nieder wrote: > Agreed, this is an important and good change (both upstream and for > Debian). Thanks for reporting. Adding the "forwarded" tag doesn't bring much in this case as it's clear that "upstream" has not acted on this patch submission... Who are the upstream maintainers that we should ping? Herbert Xu? Do we have anyone in Debian with commit rights to the upstream repo? Cheers, -- Raphaël Hertzog ◈ Debian Developer Discover the Debian Administrator's Handbook: → http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#734869: dash should drop its privileges in setuid context and implement privileged mode support (-p)
tags 734869 + upstream forwarded 734869 http://thread.gmane.org/gmane.comp.shells.dash/841 quit Hi Raphaël, Raphaël Hertzog wrote: > I have been reading > http://blog.cmpxchg8b.com/2013/08/security-debianisms.html and discovered > that dash doesn't drop its privileges when run in a setuid context. Agreed, this is an important and good change (both upstream and for Debian). Thanks for reporting. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Bug#734869: dash should drop its privileges in setuid context and implement privileged mode support (-p)
Package: dash Version: 0.5.7-3+nmu1 Severity: important Tags: security patch I have been reading http://blog.cmpxchg8b.com/2013/08/security-debianisms.html and discovered that dash doesn't drop its privileges when run in a setuid context. This is a security measure that upstream's bash does implement however. Turning off the dropping of the privileges must be explicitly required with the -p command line option. It would be nice if dash could be enhanced to behave in the same way and thus avoid some security problems with the usage of popen/system in setuid programs. Tavis Ormandy even submitted a patch upstream: http://thread.gmane.org/gmane.comp.shells.dash/841/ The initial reactions were rather positive but it looks like the feature never got merged. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dash depends on: ii debianutils 4.4 ii dpkg 1.17.6~20131221210620.235 ii libc62.17-97 dash recommends no packages. dash suggests no packages. -- debconf information: * dash/sh: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org