Package: bastille Version: 1:3.0.9-12.1 Severity: serious Hello,
I run the stable release of debian, i.e. lenny (debian 5.0.6). I wanted to harden my system using bastille, so I installed the current bastille package from unstable, that supports also debian 5.0 (lenny). The package from stable supports only debian releases up to 4.0 (etch). I used bastille to tighten up the permissions of some system binaries and bastille set the most permissions to 750 to prevent unprivileged users to use the administration utilities or removed the suid flag, so that the binaries cannot be used by non-root users (from ping and mount, for instance). After that bastille ran also the dpkg-statoverride command to prevent resetting the permissions on system upgrades. However, this part fails and bastille sets the override permissions to 0000!!! This means that many of the administration utilitites have their permissions set to 0000 after upgrade and cannot be used anymore (even by root)! This happened to me in last upgrade to debian version 5.0.6 with ping, for instance: > ls -l /bin/ping* ---------- 1 root root 30788 Jul 27 04:34 /bin/ping ---------- 1 root root 26616 Jul 27 04:34 /bin/ping6 This is serious because many important binaries are included, for instance init, mkfs, mount, apt-get etc. It is also difficult to find out the reason, because the upgrade can happen much longer than the bastille hardening process. I'm including a part of the bastille action log for /sbin/init, for instance: ... {Tue Jun 8 20:00:01 2010} ACTION File exists, running chmod 488 /sbin/init{Tue Jun 8 20:00:01 2010} ACTION change permissions on /sbin/init from 100755 to 750 {Tue Jun 8 20:00:01 2010} ACTION chmod 750,"/sbin/init"; {Tue Jun 8 20:00:01 2010} ACTION Setting permissions with dpkg-statoverride:/usr/sbin/dpkg-statoverride --force --add #0 #0 0000 /sbin/init ... Hopefully, this can be repaired quite quickly in ustable, because this can make the system partly unusable without knowing about this problem. Lukas -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org