On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote:
> > There are lots of ways that one can manage to lose ACLs and EAs on
> > files using traditional Unix tools;
> But shouldn't simply *all* problematic packages be filed a security bug?
The BTS definition of the security tag is:
This bug describes a security problem in a package (e.g., bad permissions
allowing access to data that shouldn't be accessible; buffer overruns
allowing people to control a system in ways they shouldn't be able to;
denial of service attacks that should be fixed, etc). Most security bugs
should also be set at critical or grave severity.
I don't think this bug really qualifies; it may *lead* to bad permissions as
a result of a user using sed -i without understanding the consequences, but
it's not a hole in the package that an attacker is exploiting directly
(which is how I understand the "security" tag). This bug only manifests if
the user assumes that standard Unix tools work out-of-the-box with ACLs and
EAs -- a very foolish assumption at this point.
Tagging this bug 'security' also doesn't help our security team, as this
isn't a bug they're going to be trying to fix.
Anyway, as far as security is concerned, I would expect anyone using
extended ACLs that need to *block* access to users that would otherwise be
permitted to set appropriate default ACLs on the parent directory, so that
files are automatically created with appropriately strict permissions.
> > Given that most users are going to get this wrong when *not* using the
> > -i option to sed for in-place editing, I don't see any grounds for
> > treating this as a grave bug.
> I see this the opposite way: that make the bug and it's little brothers
> more serious, because it's not isolated...
I don't think that's realistic. I suspect there are quite a number of
package maintainer scripts that don't even preserve *basic* Unix permissions
when making changes to config files. These are certainly bugs, I agree with
that, but it just doesn't make any sense to treat them as release-critical
AFAICS.
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/
--Bn2rw/3z4jIqBvZU
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
Message-ID: <email address hidden>
Date: Sat, 19 Nov 2005 03:17:12 -0800
From: Steve Langasek <email address hidden>
To: Pierre THIERRY <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#339793: sed: In-place editing (-i flag) drops EA (ACLs and user-defined)
--Bn2rw/3z4jIqBvZU Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
On Sat, Nov 19, 2005 at 11:35:09AM +0100, Pierre THIERRY wrote:
> > There are lots of ways that one can manage to lose ACLs and EAs on
> > files using traditional Unix tools;
> But shouldn't simply *all* problematic packages be filed a security bug?
The BTS definition of the security tag is:
This bug describes a security problem in a package (e.g., bad permissions
allowing access to data that shouldn't be accessible; buffer overruns
allowing people to control a system in ways they shouldn't be able to;
denial of service attacks that should be fixed, etc). Most security bugs
should also be set at critical or grave severity.
I don't think this bug really qualifies; it may *lead* to bad permissions as
a result of a user using sed -i without understanding the consequences, but
it's not a hole in the package that an attacker is exploiting directly
(which is how I understand the "security" tag). This bug only manifests if
the user assumes that standard Unix tools work out-of-the-box with ACLs and
EAs -- a very foolish assumption at this point.
Tagging this bug 'security' also doesn't help our security team, as this
isn't a bug they're going to be trying to fix.
Anyway, as far as security is concerned, I would expect anyone using
extended ACLs that need to *block* access to users that would otherwise be
permitted to set appropriate default ACLs on the parent directory, so that
files are automatically created with appropriately strict permissions.
> > Given that most users are going to get this wrong when *not* using the
> > -i option to sed for in-place editing, I don't see any grounds for
> > treating this as a grave bug.
> I see this the opposite way: that make the bug and it's little brothers
> more serious, because it's not isolated...
I don't think that's realistic. I suspect there are quite a number of
package maintainer scripts that don't even preserve *basic* Unix permissions
when making changes to config files. These are certainly bugs, I agree with
that, but it just doesn't make any sense to treat them as release-critical
AFAICS.
--=20 www.debian. org/
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--Bn2rw/3z4jIqBvZU pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
ufymYLloRAlR/ AJ46VkkKFP11G/ kpEUm/Bb/ pGT9wTACfeolb 6QN5oJk0=
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDfwm4KN6
bIt0TfBcoLS9pt5
=ER4+
-----END PGP SIGNATURE-----
--Bn2rw/ 3z4jIqBvZU- -