Hi! On Fri, 2024-09-20 at 16:40:57 -0700, Russ Allbery wrote: > Control: reassign -1 krb5-keytab-backend
> Guillem Jover <guil...@debian.org> writes: > > While analyzing the archive for mismatched file metadata (as part of the > > preparation to add support into dpkg), thanks to Helmut gathering the > > data from the archive. I noticed that these two packages have a mismatch > > in the permissions for the /etc/krb5kdc/ directory, where there could be > > security implications, if the contents are expected to contain secrets > > that only root is supposed to read, as the permissions of the directory > > are decided by the first package being unpacked, and subsequent > > directory unpacks get ignored (including any change in permissions). > > > $ dpkg-deb -c krb5-kdc_1.21.3-3_amd64.deb | grep etc/krb5kdc > > drwx------ root/root 0 2024-07-05 19:25 ./etc/krb5kdc/ > > $ dpkg-deb -c krb5-keytab-backend_1.5-1.1_all.deb | grep etc/krb5kdc > > drwxr-xr-x root/root 0 2024-08-02 01:29 ./etc/krb5kdc/ > > -rw-r--r-- root/root 287 2024-06-20 19:20 > > ./etc/krb5kdc/allow-extract > > > I'm not sure which one is correct. > > Whoops, thanks, this is an oversight in krb5-keytab-backend. The krb5-kdc > permissions are correct. I will take a look. Perfect, thanks! > > Assigned to both for awareness and coordination purposes, feel free to > > reassign to whichever might need to adapt the permissions. If this has > > security implications then it might be worth to set the security tag, > > and rise the severity and perhaps prepare a change for a stable update > > too? If there are no security implications, it would still be good to > > make the permissions consistent, otherwise dpkg would start warning or > > erroring out on mismatched metadata once the support gets in and is > > enabled. > > I don't think there are obvious security implications (I think the > permissions are more precautionary, and it's also fairly unlikely that > anyone will have installed krb5-wallet before krb5-kdc), although Sam, > please let me know if you think I'm wrong. AFAICT the dependency chain is: krb5-keytab-backend Depends→ krb5-admin-server Depends→ krb5-kdc And no Pre-Depends involved, so if someone installed krb5-keytab-backend w/o having previously installed krb5-kdc, then the unpack order is not guaranteed (as apt for example does an unpack stage first, then a configure one later on, if no Essential or Pre-Depends are involved) and the wrong permissions could already be on disk, and then preserved over upgrades. So perhaps it might be a good idea to check (in case there are no statoverrides) whether the perms are unexpected and fix those up? Just to make sure. :) > krb5-wallet has never been in a stable release, so no worries about stable > fixes. Ah, great then. Thanks, Guillem
