Your message dated Wed, 25 Aug 2010 19:32:47 +0000
with message-id <e1oolij-0006jk...@franck.debian.org>
and subject line Bug#593829: fixed in sabnzbdplus 0.5.4-1
has caused the Debian Bug report #593829,
regarding sabnzbdplus: sabnzbd.ini defaults to world-readable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
593829: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=593829
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: sabnzbdplus
Version: 0.5.3-1
Severity: grave
Tags: security
Justification: user security hole
After installing sabnzbdplus and configuring it, I found out that the main
configuration file for sabnzbdplus is world-readable (it can be found in
$HOME/.sabnzbd/sabnzbd.ini).
This config file contains my sabnzbd access password (which I could have chosen
the same as my login password...) as well as my E-mail user name & password -
all in plain text. Since this file is world-readable (644), these logins are
available to everyone with access to the file.
A user can manually change this - setting it to 600 seems to work fine in my
case - but someone 'just installing the package' may forget about this.
Unfortunately this file is not part of the list of files that gets installed -
it is generated by sabnzbd itself at first startup. So it is not simply a
matter of adding a chmod to the postinst file.
What I propose is to modify the init script (pseudocode):
if CONFIG in /etc/default/sabnzbdplus is set:
touch $CONFIG # well, maybe only if it didn't exist yet
chmod 600 $CONFIG # perhaps switchable in case one WANTS it world/group
readable
else
touch /home/$USER/.sabnzbd/sabnzbd.ini # maybe not referring to /home
chmod 600 /home/$USER/.sabnzbd/sabnzbd.ini
(perhaps some chown commands should be added to this as well)
(and perhaps only do this if the config file didn't exist yet, so effectively
at first run)
This way, a (empty) config file with proper security settings will be generated
at the right location before first use. Not the nicest solution, but the best I
can think of.
This issue seems to have been discussed already at sabnzbd forum - the
conclusion was something like "the usenet password already is plain text,
therefore no use hiding the user password - best is to simply change the ini
file security settings". That's what I try to accomplish automatically with the
proposal above.
Regards,
Matthijs
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sabnzbdplus depends on:
ii python 2.6.5-11 interactive high-level object-orie
ii python-cheetah 2.4.2.1-1 text-based template engine and Pyt
ii python-configobj 4.7.2+ds-1 simple but powerful config file re
ii python-feedparser 4.1-14 Universal Feed Parser for Python
ii python-support 1.0.9 automated rebuilding support for P
ii sabnzbdplus-theme-smpl 0.5.3-1 smpl interface templates for the S
Versions of packages sabnzbdplus recommends:
ii par2 0.4-11 Parity Archive Volume Set, for che
ii python-openssl 0.10-1 Python wrapper around the OpenSSL
ii python-yenc 0.3+debian-2+b1 yEnc encoding/decoding extension f
ii rar 2:3.9.3-1 Archiver for .rar files
ii sabnzbdplus-theme-classi 0.5.3-1 classic interface templates for th
ii sabnzbdplus-theme-plush 0.5.3-1 plush interface templates for the
ii unrar 1:3.8.5-1 Unarchiver for .rar files (non-fre
ii unzip 6.0-4 De-archiver for .zip files
Versions of packages sabnzbdplus suggests:
pn python-dbus <none> (no description available)
pn sabnzbdplus-theme-mobile <none> (no description available)
-- Configuration Files:
/etc/default/sabnzbdplus changed:
USER=sabnzbd
CONFIG=
HOST=192.168.1.3
PORT=7070
EXTRAOPTS=
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: sabnzbdplus
Source-Version: 0.5.4-1
We believe that the bug you reported is fixed in the latest version of
sabnzbdplus, which is due to be installed in the Debian FTP archive:
sabnzbdplus-theme-classic_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus-theme-classic_0.5.4-1_all.deb
sabnzbdplus-theme-iphone_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus-theme-iphone_0.5.4-1_all.deb
sabnzbdplus-theme-mobile_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus-theme-mobile_0.5.4-1_all.deb
sabnzbdplus-theme-plush_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus-theme-plush_0.5.4-1_all.deb
sabnzbdplus-theme-smpl_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus-theme-smpl_0.5.4-1_all.deb
sabnzbdplus_0.5.4-1.diff.gz
to contrib/s/sabnzbdplus/sabnzbdplus_0.5.4-1.diff.gz
sabnzbdplus_0.5.4-1.dsc
to contrib/s/sabnzbdplus/sabnzbdplus_0.5.4-1.dsc
sabnzbdplus_0.5.4-1_all.deb
to contrib/s/sabnzbdplus/sabnzbdplus_0.5.4-1_all.deb
sabnzbdplus_0.5.4.orig.tar.gz
to contrib/s/sabnzbdplus/sabnzbdplus_0.5.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 593...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
JCF Ploemen (jcfp) <li...@jp.pp.ru> (supplier of updated sabnzbdplus package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 22 Aug 2010 21:10:15 +0200
Source: sabnzbdplus
Binary: sabnzbdplus sabnzbdplus-theme-plush sabnzbdplus-theme-smpl
sabnzbdplus-theme-iphone sabnzbdplus-theme-mobile sabnzbdplus-theme-classic
Architecture: source all
Version: 0.5.4-1
Distribution: unstable
Urgency: low
Maintainer: JCF Ploemen (jcfp) <li...@jp.pp.ru>
Changed-By: JCF Ploemen (jcfp) <li...@jp.pp.ru>
Description:
sabnzbdplus - web-based binary newsgrabber with nzb support
sabnzbdplus-theme-classic - classic interface templates for the SABnzbd+
binary newsgrabber
sabnzbdplus-theme-iphone - transitional package for migration to
sabnzbdplus-theme-mobile
sabnzbdplus-theme-mobile - mobile interface templates for the SABnzbd+ binary
newsgrabber
sabnzbdplus-theme-plush - plush interface templates for the SABnzbd+ binary
newsgrabber
sabnzbdplus-theme-smpl - smpl interface templates for the SABnzbd+ binary
newsgrabber
Closes: 593829
Changes:
sabnzbdplus (0.5.4-1) unstable; urgency=low
.
* New upstream release (Closes: #593829).
* Bumped Standards-Version to 3.9.1 (no changes needed).
* Init script: moved start and stop procedures into functions.
* Updated man page.
Checksums-Sha1:
937d79a1b693dd055fdb1e0621083103d4e02b8c 1444 sabnzbdplus_0.5.4-1.dsc
5e2df790d8e15c9a0255466f7b94fa380e67a662 1409675 sabnzbdplus_0.5.4.orig.tar.gz
19c8966afaf70accaf60c6aa1af2785f64566d74 27723 sabnzbdplus_0.5.4-1.diff.gz
124b6d12f80aa4ddb7d317b2afc172bd099fd410 740000 sabnzbdplus_0.5.4-1_all.deb
9b362b5a7ab41ebe4aadbe95f341c87a79327211 182032
sabnzbdplus-theme-plush_0.5.4-1_all.deb
a880949c9a2874e27ee7e27f23c61a1a532693b5 111808
sabnzbdplus-theme-smpl_0.5.4-1_all.deb
5c062b5d5fd6e821463b5fc09be672e6c3002134 21330
sabnzbdplus-theme-iphone_0.5.4-1_all.deb
aadd19d85f1c0668264ca8135c8f74fc26d5635b 94044
sabnzbdplus-theme-mobile_0.5.4-1_all.deb
d48f10a9aa7bd3570148928c89d9fa21491e0cd8 69608
sabnzbdplus-theme-classic_0.5.4-1_all.deb
Checksums-Sha256:
8695537266569418f7909c31d90e4f1b5ffd075a01d800452f5864642626feb5 1444
sabnzbdplus_0.5.4-1.dsc
d94ca3e0247a14f156567fd474d01e6db1a89ee47647f5e606d0820dcf831577 1409675
sabnzbdplus_0.5.4.orig.tar.gz
d00018ea03c44ceda618fa79a29a79d26658634d69d86568b1faf50fd7e82246 27723
sabnzbdplus_0.5.4-1.diff.gz
0899185101930fef892976b59a216fbbd611a2fb72eefe46d0c5851117d44afe 740000
sabnzbdplus_0.5.4-1_all.deb
53acee8e4888fbe9ad3a48fdb19ca628217a2cba467d50caf3596e4a74ddf137 182032
sabnzbdplus-theme-plush_0.5.4-1_all.deb
a4a4303afbe7d733de8c0690305be8dfe23c57297c9660229f9726ead2899002 111808
sabnzbdplus-theme-smpl_0.5.4-1_all.deb
28d1b788155cf4701490f48a3dee14236d2668248d1b2080d4c6b9432885cbc8 21330
sabnzbdplus-theme-iphone_0.5.4-1_all.deb
b8fcf630e72776e06c7b3ae8654656bb5761d3d94a8da8eac3ff4a05bf2e765f 94044
sabnzbdplus-theme-mobile_0.5.4-1_all.deb
cab96e7fa2826cb363462218c37ddd589d77bfa11f3f0606e8e9dab898b6b869 69608
sabnzbdplus-theme-classic_0.5.4-1_all.deb
Files:
e10058a9eaf26e559198d66e027e15ea 1444 contrib/net optional
sabnzbdplus_0.5.4-1.dsc
b64e5d47ea4c115b98dd96744946c89d 1409675 contrib/net optional
sabnzbdplus_0.5.4.orig.tar.gz
f9a107be6034ba4baf39a686a3a79bd1 27723 contrib/net optional
sabnzbdplus_0.5.4-1.diff.gz
259d4f18860a3bdeba3349deeeecfc46 740000 contrib/net optional
sabnzbdplus_0.5.4-1_all.deb
c6ac2a75dceccb87f05f3d4da943d2df 182032 contrib/net optional
sabnzbdplus-theme-plush_0.5.4-1_all.deb
16ca13a57e97c418db063ad263c54e0c 111808 contrib/net optional
sabnzbdplus-theme-smpl_0.5.4-1_all.deb
dffc45a69d2d58796f0d9f95133744d8 21330 contrib/net optional
sabnzbdplus-theme-iphone_0.5.4-1_all.deb
636cd1209870d9ecfc9bcdfa8c3eddcd 94044 contrib/net optional
sabnzbdplus-theme-mobile_0.5.4-1_all.deb
db790deae8ad5b9501120646cb489bfa 69608 contrib/net optional
sabnzbdplus-theme-classic_0.5.4-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAkx1aQMACgkQB01zfu119ZnzQQCfReeMYAmIon00sBAdZiidW/Qh
/lEAmQFjkQGup7vJ++vVwTQ8pJMTD3MH
=jY3y
-----END PGP SIGNATURE-----
--- End Message ---
