Bug#340981: debian-installer and world writable directories

Wed, 30 Nov 2005 08:10:52 -0800 

Joey Hess wrote:

Yes, the installation-report package owns the logs post sarge. In sarge,
purging base-config will remove the logs, but users may not want to do
that.



Great, but may I propose that base-config adopts installation logs in 
sarge?



At least this patch seems quite simple. It just removes the write 
permissions in a base-config update. Since the directory was open for 
writing quite a while, manual inspection of the contents by the admin is 
a must though.


-Mikko

diff -Nu base-config-2.53.10/debian/changelog base-config-2.53.10.sarge.mkr1/debian/changelog
--- base-config-2.53.10/debian/changelog	2005-05-15 21:56:15.000000000 +0300
+++ base-config-2.53.10.sarge.mkr1/debian/changelog	2005-11-30 17:31:58.007806120 +0200
@@ -1,3 +1,10 @@
+base-config (2.53.10.sarge.mkr1) testing; urgency=low
+
+  * Added preinst script to remove /var/log/debian-installer/cdebconf
+    group and other write permissions.
+
+ -- Mikko Rapeli <[EMAIL PROTECTED]>  Wed, 30 Nov 2005 17:31:34 +0200
+
 base-config (2.53.10) testing; urgency=low
 
   * Christian Perrier
Common subdirectories: base-config-2.53.10/debian/po and base-config-2.53.10.sarge.mkr1/debian/po
diff -Nu base-config-2.53.10/debian/preinst base-config-2.53.10.sarge.mkr1/debian/preinst
--- base-config-2.53.10/debian/preinst	1970-01-01 02:00:00.000000000 +0200
+++ base-config-2.53.10.sarge.mkr1/debian/preinst	2005-11-30 17:23:54.770269392 +0200
@@ -0,0 +1,18 @@
+#!/bin/sh
+#DEBHELPER#
+set -e
+
+CDEBCONF="/var/log/debian-installer/cdebconf"
+
+# debian-installer sarge version leaves $CDEBCONF writable to all.
+# The directory is not owned by any package in sarge, but base-config
+# is closest to debian-installer so adding this simple script is not
+# that big of a violation. This script does not need to be in post sarge
+# base-config package. 
+
+# Note: The directory content may have been modified by any user on the system.
+
+# Remove group and other write rights. maxdepth 0 scans only the specified file.
+if [ -n $( find  $CDEBCONF -type d -maxdepth 0 -perm +go=w ) ]; then
+	chmod go-w $CDEBCONF
+fi






















					Reply via email to