© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0e1f616
(Get the code!)
Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 11:42:52 +0100 (CET)
From: Santiago Vila <email address hidden>
To: Paul Szabo <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH in /root/.profile
severity 299007 wishlist
reassign 299007 debian-policy
thanks
On Fri, 11 Mar 2005, Paul Szabo wrote:
> Package: base-files
> Version: 3.0.2
> Severity: critical
> Tags: patch security
> Justification: root security hole
>
> I recently noticed that /usr/local and /usr/local/
> group-writable and owned by root:staff. This is wrong: those directories
> are in the default PATH for root. They (and files within) should be
> root-owned: group staff users or become-
> be able to trojan and thus get root.
> [...]
This is not a bug. base-files follows policy. If you don't like
current policy, amend it. For your benefit, I'm doing a reassign.
Now you have to make a policy proposal. This is explained in the
debian-policy package.