Ubuntu
freeradius package

File permissions allow access to sensitive information by "others"

Bug #1752156 reported by Marc Deslauriers
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
freeradius (Debian)
Fix Released
Unknown
freeradius (Ubuntu)
Fix Released
Low
Unassigned

Bug Description

Simon Boldinger reported a security issue with the default freeradius permissions.

See the Debian bug report for details:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890933

Tags: server-next
Bug Watch Updater (bug-watch-updater)
Changed in freeradius (Debian):
status: Unknown → New
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

FYI - Discussion started on the Deb-Bug, we would want to stay in sync but are subscribed there to pick up what is going on.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

"In any case, the packaging used mode 2751 for /etc/freeradius before I
became the maintainer, so I never questioned it.

Especially seeing that upstream is in agreement, I’m all for using a
stricter permission. I’ll change the package to use 2750 going forward."

Looks like debian will change the perms

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

In bionic we have:
ubuntu@bionic:~$ l /etc/freeradius/
ls: cannot open directory '/etc/freeradius/': Permission denied

ubuntu@bionic:~$ cat /etc/freeradius/3.0/users
cat: /etc/freeradius/3.0/users: Permission denied

ubuntu@bionic:~$ sudo ls -lah /etc/freeradius/3.0/users
lrwxrwxrwx 1 freerad freerad 27 Feb 28 06:51 /etc/freeradius/3.0/users -> mods-config/files/authorize

ubuntu@bionic:~$ sudo ls -la /etc/freeradius/3.0/mods-config/files/authorize
-rw-r----- 1 freerad freerad 7044 Feb 28 06:51 /etc/freeradius/3.0/mods-config/files/authorize
ubuntu@bionic:~$

freeradius 3.0.16+dfsg-1ubuntu3

Maybe this is related to an upgrade indeed, as was hinted elsewhere in the debian bug

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Debian has made the change:

 freeradius (3.0.16+dfsg-3) unstable; urgency=medium
 .
   * Change default /etc/freeradius permission from 2751 to 2750 (Closes: #890933)

tags: added: server-next
Changed in freeradius (Ubuntu):
status: New → Triaged
importance: Undecided → Low
Bug Watch Updater (bug-watch-updater)
Changed in freeradius (Debian):
status: New → Fix Released
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

We should get the change in the next sync with debian

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This was fixed in 3.0.16+dfsg-3, which we have in cosmic as 3.0.16+dfsg-3ubuntu1.

Changed in freeradius (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.