Your message dated Sat, 13 Feb 2010 23:32:13 +0000
with message-id <e1ngrtb-0000t8...@ries.debian.org>
and subject line Bug#567175: fixed in ganglia 3.1.2-3
has caused the Debian Bug report #567175,
regarding gmetad: creates world read/writable rrd data files
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
567175: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567175
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gmetad
Version: 3.1.2-2.1
Severity: grave
Tags: security
Justification: causes non-serious data loss
Hi,
gmetad creates its RRD data files with permissions 666, in world-accessible
directories (755), e.g.:
$ ls -ld /var/lib/ganglia/rrds/__SummaryInfo__
drwxr-xr-x 2 nobody root 4096 2010-01-26 23:14
/var/lib/ganglia/rrds/__SummaryInfo__
$ ls -l /var/lib/ganglia/rrds/__SummaryInfo__
total 672
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 boottime.rrd
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 bytes_in.rrd
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 bytes_out.rrd
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_aidle.rrd
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_idle.rrd
-rw-rw-rw- 1 nobody root 23648 2010-01-26 23:14 cpu_nice.rrd
[...]
As a result, any local user can not only read the full datasets collected by
gmetad (probably not an issue), but can tamper with them or just simply
truncate them, causing data loss and denial of service.
A fix would have take care of newly created files, as well as any files that
have previously been created.
Cheers, Til
-- System Information:
Debian Release: 5.0.3
APT prefers stable
APT policy: (500, 'stable'), (400, 'unstable'), (300, 'testing'), (200,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.30-bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
--- End Message ---
--- Begin Message ---
Source: ganglia
Source-Version: 3.1.2-3
We believe that the bug you reported is fixed in the latest version of
ganglia, which is due to be installed in the Debian FTP archive:
ganglia-monitor_3.1.2-3_i386.deb
to main/g/ganglia/ganglia-monitor_3.1.2-3_i386.deb
ganglia-webfrontend_3.1.2-3_all.deb
to main/g/ganglia/ganglia-webfrontend_3.1.2-3_all.deb
ganglia_3.1.2-3.diff.gz
to main/g/ganglia/ganglia_3.1.2-3.diff.gz
ganglia_3.1.2-3.dsc
to main/g/ganglia/ganglia_3.1.2-3.dsc
gmetad_3.1.2-3_i386.deb
to main/g/ganglia/gmetad_3.1.2-3_i386.deb
libganglia1-dev_3.1.2-3_i386.deb
to main/g/ganglia/libganglia1-dev_3.1.2-3_i386.deb
libganglia1_3.1.2-3_i386.deb
to main/g/ganglia/libganglia1_3.1.2-3_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 567...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Stuart Teasdale <s...@debian.org> (supplier of updated ganglia package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 13 Feb 2010 23:15:02 +0000
Source: ganglia
Binary: ganglia-monitor gmetad libganglia1 libganglia1-dev ganglia-webfrontend
Architecture: source all i386
Version: 3.1.2-3
Distribution: unstable
Urgency: high
Maintainer: Stuart Teasdale <s...@debian.org>
Changed-By: Stuart Teasdale <s...@debian.org>
Description:
ganglia-monitor - cluster monitoring toolkit - node daemon
ganglia-webfrontend - cluster monitoring toolkit - web front-end
gmetad - cluster monitoring toolkit - Ganglia Meta-Daemon
libganglia1 - cluster monitoring toolkit - shared libraries
libganglia1-dev - cluster monitoring toolkit - development libraries
Closes: 567175 569395
Changes:
ganglia (3.1.2-3) unstable; urgency=high
.
* Adjust the default umask of the daemons. Closes: #567175
* Fix in postinst to change the umask of existing rrds
* Add build dependency for libdbi0-dev. Closes: #569395
* Horrid directory mangling in postinst hacked around for permissions
Checksums-Sha1:
71692a99f1cb9984764008c3fe88c6338506c472 1195 ganglia_3.1.2-3.dsc
f13330d962d9e7f023d4c0f02f64030beeee5905 45417 ganglia_3.1.2-3.diff.gz
fc6d409506558cbf0dfa60ef191057e00e56aaa3 111566
ganglia-webfrontend_3.1.2-3_all.deb
c68b464d7bf527ffcd070c88a2119d7110c71038 52554 ganglia-monitor_3.1.2-3_i386.deb
d7aec45e4be95eb837b7fe1c31d230bf6b75e66a 29412 gmetad_3.1.2-3_i386.deb
cfc7472c51ec0d0390305e26d3a0d04d2b91afa4 126356 libganglia1_3.1.2-3_i386.deb
154c0e243082efe83929462809743587fe775387 38674 libganglia1-dev_3.1.2-3_i386.deb
Checksums-Sha256:
9e548ba7f757994305a5102d4ca765daa0c5f93afef0a515118ccb8356d9cab6 1195
ganglia_3.1.2-3.dsc
c0d271c6290d7b8d1af235c64fb452b43868ead97d3279eabf39c1f95b0b7b97 45417
ganglia_3.1.2-3.diff.gz
dc25a589266fc31161ad0f322edd86e5a1d0040d3542255174ebc9abbce15846 111566
ganglia-webfrontend_3.1.2-3_all.deb
53065bedb840c93571321f50401f9646044f4695d77822c1a1adfd1f8e64a63a 52554
ganglia-monitor_3.1.2-3_i386.deb
ce7e45e85322b32b1ba8eeed5d0f8e356ea2eea42e99c3540687faaaeb5c8a8c 29412
gmetad_3.1.2-3_i386.deb
3e3567b1a5c593924b6621b0c1284179305379784d6e000b108326848444fbec 126356
libganglia1_3.1.2-3_i386.deb
c66357ffe7c134c927059d0898b208231012abc113e98ca7d4f7c561bdf3992c 38674
libganglia1-dev_3.1.2-3_i386.deb
Files:
d87a004cc5e38dcae75518a71e275788 1195 net optional ganglia_3.1.2-3.dsc
a1dd91edbe4728e9cdf40d93a5b9d65d 45417 net optional ganglia_3.1.2-3.diff.gz
910de5f67d5febd051acb07e1a5e4d29 111566 net optional
ganglia-webfrontend_3.1.2-3_all.deb
fecd4ae0f3ba19823b329dd92db26672 52554 net optional
ganglia-monitor_3.1.2-3_i386.deb
3bda375c791a2aa39b245f70237385cb 29412 net optional gmetad_3.1.2-3_i386.deb
4ba6e947e660bc32e9f4278f4529fe95 126356 libs optional
libganglia1_3.1.2-3_i386.deb
858c9fbafcc281fff555874686a4bf53 38674 libdevel optional
libganglia1-dev_3.1.2-3_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkt3NX4ACgkQqXWYex+fp+6UMwCgkh/c2EbWVMG7CvOsbqDrMJ6K
ItwAoIHScs5Gbkkh1XJ0MxT1WQKjMpTc
=ab1J
-----END PGP SIGNATURE-----
--- End Message ---
