/var/lib/ufw is world readable.

Bug #393187 reported by Steven on 2009-06-28
Affects Status Importance Assigned to Milestone

Bug Description

/var/lib/ufw is world readable thus exposing the current firewall setup. While not a major security flaw, it is not a good practice and makes all of the other attempts to hide the current firewall configuration pointless.

ufw version: 0.27-0ubuntu2

Related branches

Jamie Strandboge (jdstrand) wrote :

Thank you for using ufw and taking the time to report a bug.

This would also affect /etc/ufw, btw. Though I disagree that this is a security vulnerability (it is easy enough to figure out the general firewall policy is if you have login access to the machine). The files are world-readable for administrative purposes. That said, I do think it would be a security enhancement to make the directories 750, and plan to do that. This will give hints to distributions to chgrp the directories to an administrative group.

Changed in ufw:
status: New → Confirmed
security vulnerability: yes → no
visibility: private → public
Changed in ufw:
importance: Undecided → Low
Changed in ufw:
status: Confirmed → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Fixed in 0.28.

Changed in ufw:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers