Bug#690840: yubiserver: please relax file permissiond and use dedicated user/group

Apollon Oikonomopoulos Thu, 18 Oct 2012 05:18:20 -0700

Package: yubiserver
Version: 0.2-3
Severity: wishlist

Hi,


yubiserver's postinst script currently chmod's /etc/yubiserver and
/usr/bin/yubiserver{,-admin} to 0700. This causes the following issues:

 • All files under /etc/yubiserver are rendered executable because of the use
   of chmod -R
 • A non-root user cannot execute any of the binaries shipped

Since the whole application state resides in the sqlite database, it would
suffice to just restrict access to the database file instead (see also #690837)
and let the application gracefully handle failure to open the database file. In
this case, it would also make sense to create a special group (e.g. yubiserver)
and make the database file group-writable by this group, allowing the local
administrator to grant yubiserver-admin access to regular users.

Finally, since the daemon binds to a non-privileged port by default and since
the daemon itself has no support for dropping privileges, it would make sense
to also create a dedicated system user and have yubiserver run as that user by
default instead of running as root.

Thanks,
Apollon

-- System Information:
Debian Release: 6.0.6
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable'), (90, 'unstable'), (80, 
'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages yubiserver depends on:
ii  libc6                   2.11.3-4         Embedded GNU C Library: Shared lib
ii  libconfig9              1.4.8-5          parsing and manipulation of struct
ii  libev4                  1:4.11-1         high-performance event loop librar
ii  libgcrypt11             1.5.0-3          LGPL Crypto library - runtime libr
ii  libmhash2               0.9.9.9-1        Library for cryptographic hashing 
ii  libsqlite3-0            3.7.13-1~bpo60+1 SQLite 3 shared library

yubiserver recommends no packages.

yubiserver suggests no packages.

-- Configuration Files:
/etc/yubiserver/yubiserver.cfg [Errno 13] Permission denied: 
u'/etc/yubiserver/yubiserver.cfg'
/etc/yubiserver/yubiserver.sqlite [Errno 13] Permission denied: 
u'/etc/yubiserver/yubiserver.sqlite'

-- no debconf information

-- 
Apollon Oikonomopoulos               apol...@skroutz.gr
Skroutz S.A.                          http://skroutz.gr


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#690840: yubiserver: please relax file permissiond and use dedicated user/group

Reply via email to