Control: reassign -1 krb5-keytab-backend Guillem Jover <guil...@debian.org> writes:
> While analyzing the archive for mismatched file metadata (as part of the > preparation to add support into dpkg), thanks to Helmut gathering the > data from the archive. I noticed that these two packages have a mismatch > in the permissions for the /etc/krb5kdc/ directory, where there could be > security implications, if the contents are expected to contain secrets > that only root is supposed to read, as the permissions of the directory > are decided by the first package being unpacked, and subsequent > directory unpacks get ignored (including any change in permissions). > $ dpkg-deb -c krb5-kdc_1.21.3-3_amd64.deb | grep etc/krb5kdc > drwx------ root/root 0 2024-07-05 19:25 ./etc/krb5kdc/ > $ dpkg-deb -c krb5-keytab-backend_1.5-1.1_all.deb | grep etc/krb5kdc > drwxr-xr-x root/root 0 2024-08-02 01:29 ./etc/krb5kdc/ > -rw-r--r-- root/root 287 2024-06-20 19:20 ./etc/krb5kdc/allow-extract > I'm not sure which one is correct. Whoops, thanks, this is an oversight in krb5-keytab-backend. The krb5-kdc permissions are correct. I will take a look. > Assigned to both for awareness and coordination purposes, feel free to > reassign to whichever might need to adapt the permissions. If this has > security implications then it might be worth to set the security tag, > and rise the severity and perhaps prepare a change for a stable update > too? If there are no security implications, it would still be good to > make the permissions consistent, otherwise dpkg would start warning or > erroring out on mismatched metadata once the support gets in and is > enabled. I don't think there are obvious security implications (I think the permissions are more precautionary, and it's also fairly unlikely that anyone will have installed krb5-wallet before krb5-kdc), although Sam, please let me know if you think I'm wrong. krb5-wallet has never been in a stable release, so no worries about stable fixes. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>
