please use tinyproxy specific user and group
Bug #590634 reported by
Seth Arnold
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tinyproxy (Ubuntu) |
Fix Released
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: tinyproxy
Tinyproxy's default configuration is to user nobody:nogroup.
This is a bad idea if other applications are configured to use nobody or nogroup -- I've filed bugs for other applications about this, so I'm sure it happens -- because unrelated applications can signal each other or use up each other's disk quotas or read shared memory segments.
Further, the user 'nobody' exists so NFS servers and other networked file systems have a user they can use for their filesystem tests -- if there are files owned by the user 'nobody', this can grant unexpected access to users via a technique intended to squash all special privileges.
visibility: | private → public |
Changed in tinyproxy (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Wishlist |
To post a comment you must log in.
This bug was fixed in the package tinyproxy - 1.8.4-2
---------------
tinyproxy (1.8.4-2) unstable; urgency=medium
* Remove obsolete preinst and postinst maintainer scripts. t-helper.
* Add a tinyproxy system user to run the daemon (LP: #590634).
* Move tinyproxy.conf to /etc/tinyproxy, using dpkg-maintscrip
* Move filter file location to /etc/tinyproxy as well.
* Remove obsolete README.Debian.
* Set sysconfdir to /etc/tinyproxy.
* Adjust tinyproxy.conf and tinyproxy.tmpfiles for tinyproxy user.
* Make /var/log/tinyproxy owned by tinyproxy.
* Add NEWS.Debian entry with warning about the tinyproxy user changes.
* Remove /var/log/tinyproxy on purge.
* Move handling of /var/log/tinyproxy permissions to postinst.
* Stop installing templates by hand, upstream build system also does it.
-- Jordi Mallach <email address hidden> Sat, 21 Jan 2017 12:40:00 +0100