Comment 11 for bug 13795

Message-ID: <20050311141732.GT6499@seventeen>
Date: Fri, 11 Mar 2005 15:17:32 +0100
From: Bill Allombert <email address hidden>
To: <email address hidden>
Cc: Paul Szabo <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH

On Fri, Mar 11, 2005 at 01:39:28PM +0100, Santiago Vila wrote:
> In this report, the submitter complains about /usr/local/bin being in
> the PATH by default at the same time directories under /usr/local are
> root:staff and world-writable. His complain is based on the existence
> of become-any-group-but-root bugs.

Is there evidence of such bugs ? There is no binaries sgid staff in
Debian to start with.

> If this is a bug at all, I think we should probably drop the root:staff
> thing instead of changing the default PATH. So: Would anyone here
> second the following patch, if it were a policy proposal?

dpkg never change permissions of directories by itself, so users can
easily chown them to theirs liking. The policy snippet below has this
property (mkdir will fail if the directory already exist).

> diff -ru debian-policy-3.6.1.1.orig/policy.sgml debian-policy-3.6.1.1/policy.sgml
> --- debian-policy-3.6.1.1.orig/policy.sgml 2004-06-25 23:11:36.000000000 +0200
> +++ debian-policy-3.6.1.1/policy.sgml 2005-03-11 13:25:27.000000000 +0100
> @@ -5062,8 +5062,8 @@
> then
> if mkdir /usr/local/share/emacs 2>/dev/null
> then
> - chown root:staff /usr/local/share/emacs
> - chmod 2775 /usr/local/share/emacs
> + chown root:root /usr/local/share/emacs
> + chmod 755 /usr/local/share/emacs
> fi
> fi
> </example>

However, I disagree with the attitude of reassigning bug to
debian-policy. If submitters want to make a policy proposal,
they can propose it themselves. Maintainers creating policy
proposal they clearly object to without anyone claiming
support is a waste of time here. The purpose of this list
is not to serve as a shield maintainers can use to deflect
submitters.

Cheers,
--
Bill. <email address hidden>

Imagine a large red swirl here.