FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian Development

 
 
LinkBack Thread Tools
 
Old 04-05-2011, 03:27 PM
Santiago Vila
 
Default Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp

reassign 620458 general
thanks

On Fri, 1 Apr 2011, Josh Triplett wrote:

> Package: base-files
> Version: 6.1
> Severity: wishlist
>
> /tmp and /var/lock currently allow writes by anyone, with the sticky bit
> set to only allow removal by the owner. Please consider doing the same
> for /var/run. That would allow daemons run as non-root users (including
> those run as part of user sessions) to put their sockets in /var/run.

I will be happy to change the default permissions once that every
program is modified to support both 755 and 1777 permissions.

But until then, this is *hardly* a bug in base-files (as I can't fix it)
but a general bug, as it affects a large number of packages, hence the
reassign.



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: alpine.DEB.2.00.1104051722280.21245@cantor.unex.es ">http://lists.debian.org/alpine.DEB.2.00.1104051722280.21245@cantor.unex.es
 
Old 04-05-2011, 04:31 PM
Yaroslav Halchenko
 
Default Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp

sorry for a blunt follow-up -- wouldn't making /var/run writable by
regular mortals ask for security concerns if an attacker starts
pre-creating files/pipes trying to steal the communications of
daemons spawned by root or just ruin some data on the system by
symlinking against root-owned files?

On Tue, 05 Apr 2011, Santiago Vila wrote:
> > /tmp and /var/lock currently allow writes by anyone, with the sticky bit
> > set to only allow removal by the owner. Please consider doing the same
> > for /var/run. That would allow daemons run as non-root users (including
> > those run as part of user sessions) to put their sockets in /var/run.

> I will be happy to change the default permissions once that every
> program is modified to support both 755 and 1777 permissions.

> But until then, this is *hardly* a bug in base-files (as I can't fix it)
> but a general bug, as it affects a large number of packages, hence the
> reassign.
--
=------------------------------------------------------------------=
Keep in touch www.onerussian.com
Yaroslav Halchenko www.ohloh.net/accounts/yarikoptic



--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 20110405163159.GT6199@onerussian.com">http://lists.debian.org/20110405163159.GT6199@onerussian.com
 
Old 04-05-2011, 09:48 PM
Russell Coker
 
Default Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp

On Wed, 6 Apr 2011, Yaroslav Halchenko <debian@onerussian.com> wrote:
> sorry for a blunt follow-up -- wouldn't making /var/run writable by
> regular mortals ask for security concerns if an attacker starts
> pre-creating files/pipes trying to steal the communications of
> daemons spawned by root or just ruin some data on the system by
> symlinking against root-owned files?

There have been security issues with daemons using /tmp for Unix domain
sockets in the past.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 201104060748.16848.russell@coker.com.au">http://lists.debian.org/201104060748.16848.russell@coker.com.au
 
Old 04-06-2011, 02:56 PM
Goswin von Brederlow
 
Default Bug#620458: base-files: Please make /var/run world-writable and sticky, like /var/lock and /tmp

Russell Coker <russell@coker.com.au> writes:

> On Wed, 6 Apr 2011, Yaroslav Halchenko <debian@onerussian.com> wrote:
>> sorry for a blunt follow-up -- wouldn't making /var/run writable by
>> regular mortals ask for security concerns if an attacker starts
>> pre-creating files/pipes trying to steal the communications of
>> daemons spawned by root or just ruin some data on the system by
>> symlinking against root-owned files?
>
> There have been security issues with daemons using /tmp for Unix domain
> sockets in the past.

And the same issues would happen in /var/run. A different base path
doesn't make security bugs disapear.

MfG
Goswin


--
To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 87r59fbf7x.fsf@frosties.localnet">http://lists.debian.org/87r59fbf7x.fsf@frosties.localnet
 

Thread Tools




All times are GMT. The time now is 05:09 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org