Your message dated Tue, 17 Jul 2007 02:53:59 +0300
with message-id <[EMAIL PROTECTED]>
and subject line Closing woody bugs
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: sympa
Version: 3.3.3-3
Severity: serious
Tags: woody, security, patch
1) INSTALLATION BUG:
Summary: bug#167948 prevents installation with postgres and the fix
was never back-ported to woody. Version 3.3.3-3 remains uninstallable
with postgres on woody.
See also:
* Bug#167948 (and 170721)
* http://lists.debian.org/debian-isp/2003/debian-isp-200306/msg00018.html
2) SECURITY ISSUE:
Sympa 3.3.3-3 creates a postgres user with unecessarily generous granting
of priviledge. Such a suite of priviledges is, IMHO, not necessary and
only serves as a potential security risk. This too appears to have been
addressed for sarge in the closing of Bug#167948 but never back-ported to
woody.
Suggested fix for both these issues (crufty patch to install-pg-db) is
appended for consideration.
Note that my suggested fix does not address the situation where the
postgres user has been created with excessive priviledges and arguably
should have some of these removed.
Regards,
Neale.
--- install-pg-db-dist Mon Nov 11 22:42:28 2002
+++ install-pg-db Sat Jun 7 11:52:02 2003
@@ -52,12 +52,18 @@
$dbh->do("DELETE FROM pg_shadow WHERE usename='sympa'");
# Get a sysid
-my $usesysid = $dbh->do("SELECT MAX(usesysid) + 1 FROM pg_shadow");
+# This is badly broken...
+#my $usesysid = $dbh->do("SELECT MAX(usesysid) + 1 FROM pg_shadow");
+# This is the minimal fix...
+#my $usesysid = @{$dbh->selectcol_arrayref("SELECT MAX(usesysid) + 1 FROM
pg_shadow")}[0];
+
+# IMHO This is probably a more correct fix (see bug#167948)...
+#$dbh->do("INSERT INTO pg_shadow".
+# "(usename, usesysid, usecreatedb, usetrace, usesuper, usecatupd,
passwd)".
+# "VALUES".
+# "('sympa', $usesysid, 't', 't', 't', 't', '$userpass')");
+$dbh->do("create user sympa with password '$userpass' nocreatedb
nocreateuser");
-$dbh->do("INSERT INTO pg_shadow".
- "(usename, usesysid, usecreatedb, usetrace, usesuper, usecatupd,
passwd)".
- "VALUES".
- "('sympa', $usesysid, 't', 't', 't', 't', '$userpass')");
$dbh->disconnect();
@@ -90,6 +96,9 @@
")")};
eval {$dbh->("CREATE INDEX subscriber_idx ON subscriber_table
(user_subscriber,list_subscriber)")};
+
+eval {$dbh->do("GRANT ALL ON user_table TO sympa")};
+eval {$dbh->do("GRANT ALL ON subscriber_table TO sympa")};
$dbh->disconnect();
--- End Message ---
--- Begin Message ---
closing as woody is now longer supported
--- End Message ---
