Package: krb5-kdc, krb5-keytab-backend Severity: important X-Debbugs-Cc: Helmut Grohne <hel...@subdivi.de>
Hi! While analyzing the archive for mismatched file metadata (as part of the preparation to add support into dpkg), thanks to Helmut gathering the data from the archive. I noticed that these two packages have a mismatch in the permissions for the /etc/krb5kdc/ directory, where there could be security implications, if the contents are expected to contain secrets that only root is supposed to read, as the permissions of the directory are decided by the first package being unpacked, and subsequent directory unpacks get ignored (including any change in permissions). $ dpkg-deb -c krb5-kdc_1.21.3-3_amd64.deb | grep etc/krb5kdc drwx------ root/root 0 2024-07-05 19:25 ./etc/krb5kdc/ $ dpkg-deb -c krb5-keytab-backend_1.5-1.1_all.deb | grep etc/krb5kdc drwxr-xr-x root/root 0 2024-08-02 01:29 ./etc/krb5kdc/ -rw-r--r-- root/root 287 2024-06-20 19:20 ./etc/krb5kdc/allow-extract I'm not sure which one is correct. Assigned to both for awareness and coordination purposes, feel free to reassign to whichever might need to adapt the permissions. If this has security implications then it might be worth to set the security tag, and rise the severity and perhaps prepare a change for a stable update too? If there are no security implications, it would still be good to make the permissions consistent, otherwise dpkg would start warning or erroring out on mismatched metadata once the support gets in and is enabled. Thanks, Guillem
