Software Sources sets wrong permissions when adding new source
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
software-properties (Ubuntu) |
Fix Released
|
Medium
|
Unassigned |
Bug Description
software-
To reproduce:
1. Set default umask to 0027 (that's right, newly created files should not be world readable by default on my system, and ease of use should not compromise security).
2. Go to System -> Administration -> Software Sources. This will ask you for administrative password. Add a new source like ppa:nijel/ppa and update sources list.
3. This will result in Update Manager to fail reading sources list file /etc/apt/
4. Making file world readable (sudo chmod 644 /etc/apt/
Since Update Manager does not ask for administrative password for retrieving information about updates in order to facilitate automatic updates notification and therefore sources files must be world readable, the software-
Alternatively, the Update Manager can be redesigned to work with tightened file permissions as it once used to. Let's Ubuntu security team have a say before usability is going to destroy security.
ProblemType: Bug
Architecture: amd64
CheckboxSubmission: 84636f17fa3181c
CheckboxSystem: b8f3ec504801f13
Date: Thu Dec 17 17:10:50 2009
DistroRelease: Ubuntu 9.10
InstallationMedia: Ubuntu 9.10 "Karmic Koala" - Release amd64 (20091027.1)
NonfreeKernelMo
Package: software-
PackageArchitec
ProcEnviron:
LANG=ru_RU.UTF-8
SHELL=/bin/bash
ProcVersionSign
SourcePackage: software-properties
Uname: Linux 2.6.31-16-generic x86_64
Related branches
- No reviews requested
security vulnerability: | yes → no |
tags: | added: karmic |
Changed in software-properties (Ubuntu): | |
status: | New → Fix Committed |
importance: | Undecided → Medium |
This bug was fixed in the package software-properties - 0.75.8
---------------
software-properties (0.75.8) lucid; urgency=low
[ Michael Vogt ] ies/gtk/ SoftwarePropert iesGtk. py: manpages/ software- properties- gtk.1: properties- gtk: properties- gtk.desktop. in: manpages/ add-apt- repository. 1: ies/SoftwarePro perties. py:
* softwarepropert
- do not crash if tranient parent can not be set (LP: #83914)
* debian/
- add man-page (thanks to Gabe Gorelick) LP: #290308
* add-apt-repository:
- better help output (LP: #407779)
- do not crash if setlocale fails (LP: #467369)
* software-
- ensure newly created ppa files are readalbe (LP: #497778)
* data/software-
- fix desktop file location (thanks to Ricardo Pérez López)
LP: #543637
* provide apt-add-repository link (LP: #547194)
* debian/
- add man-page, thanks to Chow Loong Jin (LP: #407779)
* fix lintian warnings
* softwarepropert
- show summary in addition to comment for disabled entries
(LP: #543207)
[ Harald Sitter ]
* [KDE] Fix bug in I18nHelper, where it would trigger a crash if unicode()
to UTF-8 fails. Fallback to latin1 in this case. This for example happens
when the APT keyring contains a key with non-latin characters, which can
happen with PPA keys, since those contain the owner's name.
-- Michael Vogt <email address hidden> Fri, 26 Mar 2010 13:51:20 +0100