I have bugger all knowledge on how to use the debian bugs system, and to be honest, keep finding it quite unhelpful.
so. you have now bothered to tell me what the problem is. thanks :/ weird that we worked on this last year, but this was not noticed. I would still like to know what exactly _is_ the debain policy for creating safe session file locations. sven Dmitry E. Oboukhov wrote: > reopen 494648 > thanks > > If you want, You may merge the bugs 444982 494648, dont close! > > $ ln -s /etc/shadow /tmp/twiki > $ LANG=C sudo apt-get install twiki > Reading package lists... Done > Building dependency tree > Reading state information... Done > .... > Setting up twiki (1:4.1.2-3.2) ... > Adding password for user TWikiGuest > Adding password for user admin > reloading apache2 config > Reloading web server config: apache2. > $ ll /etc/shadow > -rwxrwxrwt 1 www-data www-data 1339 ??? 28 10:26 /etc/shadow > > > > On 12:09 Wed 13 Aug , Debian Bug Tracking System wrote: > > DBTS> This is an automatic notification regarding your Bug report > DBTS> which was filed against the twiki package: > > DBTS> #494648: The possibility of attack with the help of symlinks in some > Debian packages > > DBTS> It has been closed by Sven Dowideit <[EMAIL PROTECTED]>. > > DBTS> Their explanation is attached below along with your original report. > DBTS> If this explanation is unsatisfactory and you have not received a > DBTS> better one in a separate message then please contact Sven Dowideit > <[EMAIL PROTECTED]> by > DBTS> replying to this email. > > DBTS> -- > DBTS> 494648: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=494648 > DBTS> Debian Bug Tracking System > DBTS> Contact [EMAIL PROTECTED] with problems > > DBTS> Date: Wed, 13 Aug 2008 22:06:46 +1000 > DBTS> From: Sven Dowideit <[EMAIL PROTECTED]> > DBTS> To: [EMAIL PROTECTED] > DBTS> Subject: duplicate of Bug#444982, which was fixed > DBTS> in Oct 2007 > DBTS> User-Agent: Mozilla-Thunderbird 2.0.0.16 > DBTS> (X11/20080724) > > DBTS> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=444982 > > DBTS> Implemented Joey's suggestion of 1777 & O_EXCL - mostly the files in > DBTS> /tmp are written by CGI::Session, that takes care of things. > DBTS> Also moved the 1777 tmp dir back to /tmp/twiki, as per Nico's point wrt > DBTS> to filling /var > > DBTS> -- > DBTS> Professional Wiki Innovation and Support > DBTS> Sven Dowideit - http://DistributedINFORMATION.com > DBTS> A WikiRing Partner - http://wikiring.com > DBTS> Public key - > DBTS> > http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on > > DBTS> Date: Mon, 11 Aug 2008 10:57:56 +0400 > DBTS> From: "Dmitry E. Oboukhov" <[EMAIL PROTECTED]> > DBTS> To: [EMAIL PROTECTED] > DBTS> Subject: The possibility of attack with the help of > DBTS> symlinks in some Debian packages > > DBTS> Package: twiki > DBTS> Severity: grave > DBTS> Tags: security > > DBTS> This message about the error concerns a few packages at once. I've > DBTS> tested all the packages on my Debian mirror. (post|pre)(inst|rm) and > DBTS> config scripts were tested. > > DBTS> In some packages I've discovered scripts with errors which may be used > DBTS> by a user for damaging important system files. > > DBTS> For example if a script uses in its work a temp file which is created > DBTS> in /tmp directory, then every user can create symlink with the same > DBTS> name in this directory in order to destroy or rewrite some system > DBTS> file. > > DBTS> I set Severity into grave for this bug. The table of discovered > DBTS> problems is below. > > DBTS> +------------------+-----------------+---------------------------------- > DBTS> | package | script | file for attack > DBTS> +------------------+-----------------+---------------------------------- > DBTS> | mplayer-1.0~rc2 | config | /tmp/HACK (pipe) > DBTS> | | | > DBTS> | nws-2.13 | postinst | /tmp/nws.debug (cp) > DBTS> | | | > DBTS> | ppp-2.4.4rel | postinst | /tmp/probe-finished (rm -f, pipe) > DBTS> | | postinst | /tmp/ppp-errors (rm -f, pipe) > DBTS> | ppp-udeb | /etc/ppp/ip-up | /tmp/resolv.conf.tmp (cp) > DBTS> | | | > DBTS> | twiki-4.1.2 | postinst | /tmp/twiki (chmod 1777, chown) > DBTS> +------------------+-----------------+---------------------------------- > -- > ... mpd playing: U.D.O. - Man And Machine > > . ''`. Dmitry E. Oboukhov > : : : [EMAIL PROTECTED] > `. `~ GPGKey: 1024D / F8E26537 2006-11-21 > `- 1B23 D4F8 8EC0 D902 0555 E438 AB8C 00CF F8E2 6537 -- Professional Wiki Innovation and Support Sven Dowideit - http://DistributedINFORMATION.com A WikiRing Partner - http://wikiring.com Public key - http://pgp.mit.edu:11371/pks/lookup?search=Sven+Dowideit&op=index&exact=on -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
