weak default configured permissions on /etc/cobbler/users.digest

Bug #858860 reported by David
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cobbler (Ubuntu)
High
Robie Basak

Bug Description

In at least oneiric, the debian configuration wizard seems to leave /etc/cobbler/users.digest readable by any user on the system (world readable). This means that local users are able to read and do an offline attack on the password of the configured cobbler account(in the file).

Note: I installed cobbler as a result of installing ubuntu-orchestra.

Related branches

David (d--)
visibility: private → public
Changed in cobbler (Ubuntu):
importance: Undecided → High
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Confirmed, simple fix forthcoming.. just need to create the file 600 instead of relying on the default umask.

Changed in cobbler (Ubuntu):
status: New → In Progress
assignee: nobody → Clint Byrum (clint-fewbar)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu1

---------------
cobbler (2.2.2-0ubuntu1) precise; urgency=low

  [Chuck Short]
  * New upstream release:
    + Use dh_python2 everywhere.
    + Folded debian/patches/49_ubuntu_add_arm_arch_support.patch
      and debian/patches/56_ubuntu_arm_generate_pxe_files.patch
      into one patch for easier upstreaming.
    + Dropped debian/patches/50_fix_cobbler_timezone.patch:
      Fix upstream.
    + Dropped debian/patches/47_ubuntu_add_oneiric_codename.patch
      in favor of debian/patches/47_ubuntu_add_codenames.patch:
      It adds "precise" and drops unsupported releases as well.
    + Dropped debian/patches/41_update_tree_path_with_arch.patch:
      No longer needed.
    + Dropped debian/patches/55_ubuntu_branding.patch: Will be moved
      to orchestra

   [Clint Byrum]
   * debian/cobbler.postinst: create users.digest mode 0600 so it
     is not world readable. (LP: #858860)
   * debian/control: cobbler needs to depend on python-cobbler
     (LP: #863738)
   * debian/patches/58_fix_egg_cache.patch: Do not point dangerous
     PYTHON_EGG_CACHE at world writable directory. (LP: #858875)
   * debian/cobbler-common.install: remove users.digest as it is
     not required and contains a known password that would leave
     cobblerd vulnerable if started before configuration is done
   * debian/cobbler-web.postinst: fix perms on webui_sessions to
     be more secure (LP: #863755)

   [Robie Basak]
   * Backport safe YAML load from upstream. (LP: #858883)
 -- Chuck Short <email address hidden> Tue, 15 Nov 2011 12:35:40 -0500

Changed in cobbler (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Robie Basak (racb) wrote :

This doesn't cover the upgrade path, as requested in https://bugs.launchpad.net/ubuntu/+source/cobbler/+bug/858878/comments/5

I'm just noting it here so that I can reference the bug again from a comment in the fix that I'm working on.

Changed in cobbler (Ubuntu):
assignee: Clint Byrum (clint-fewbar) → nobody
assignee: nobody → Robie Basak (racb)
status: Fix Released → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package cobbler - 2.2.2-0ubuntu14

---------------
cobbler (2.2.2-0ubuntu14) precise; urgency=low

  * debian/cobbler.preinst: fix /etc/cobbler/users.digest if upgrading from a
    version that set it world readable (LP: #858860).
 -- Robie Basak <email address hidden> Thu, 05 Jan 2012 09:13:13 +0000

Changed in cobbler (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers