Ubuntu
slrn package

wrong ownership of /var/log/news/ and /etc/news/

Bug #731547 reported by Vasily Kulikov
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ifmail (Ubuntu)
Won't Fix
Undecided
Unassigned
inn (Ubuntu)
Won't Fix
Undecided
Unassigned
inn2 (Ubuntu)
Won't Fix
Undecided
Unassigned
innfeed (Ubuntu)
Won't Fix
Undecided
Unassigned
leafnode (Ubuntu)
Won't Fix
Undecided
Unassigned
slrn (Debian)
Fix Released
Unknown
slrn (Ubuntu)
Won't Fix
Undecided
Unassigned
uucpsend (Ubuntu)
Won't Fix
Undecided
Unassigned

Bug Description

Binary package hint: slrn

Directories /var/log/news/ and /etc/news/ have weird ownership - news:news. Some deb scripts use these directories as trusted and write to files in them e.g. like this (from slrnpull.postinst):

echo "$RET" > /etc/news/server

These directories must not be writable by non-root as it might compromise root via specially crafted symlinks/hardlinks/etc. by user or group "news".

As these directories are not owned by a single package, but are created by each package, I'm reporting the bug to all packages owning files in these directories:

$ apt-file search /etc/news/ | cut -d: -f1 | uniq
ifgate
inn
inn2
inn2-inews
innfeed
leafnode
slrn
slrnpull
uucpsend

Jamie Strandboge (jdstrand)
visibility: private → public
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. As per Debian Policy section 11.7, news servers and clients are supposed to use these directories. The configuration as it is now is deliberate, and I refer you to http://www.debian.org/doc/manuals/securing-debian-howto/ch12.en.html, section 12.1.12.1. In general the permissions should be set up in such a way that under normal operating conditions, the programs can run without root permissions.

Also, since all the packages referred to in this bug is in universe or multiverse, they are community maintained. I am going to mark this bug as "Won't Fix" since Ubuntu won't diverge from Debian on this point. If you feel strongly about making these changes, I encourage you file a bug with Debian (http://www.debian.org/Bugs/) and if they approve your changes, the changes can be incorporated into Ubuntu.

Changed in inn (Ubuntu):
status: New → Won't Fix
Changed in inn2 (Ubuntu):
status: New → Won't Fix
Changed in innfeed (Ubuntu):
status: New → Won't Fix
Changed in leafnode (Ubuntu):
status: New → Won't Fix
Changed in slrn (Ubuntu):
status: New → Won't Fix
Changed in uucpsend (Ubuntu):
status: New → Won't Fix
Changed in ifmail (Ubuntu):
status: New → Won't Fix
Bug Watch Updater (bug-watch-updater)
Changed in slrn (Debian):
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in slrn (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.