Your message dated Thu, 08 Sep 2005 11:32:06 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#310757: fixed in davfs2 0.2.4-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 25 May 2005 18:51:42 +0000
>From [EMAIL PROTECTED] Wed May 25 11:51:42 2005
Return-path: <[EMAIL PROTECTED]>
Received: from jade.metnet.navy.mil (mail.metnet.navy.mil) [192.16.167.28]
by spohr.debian.org with smtp (Exim 3.35 1 (Debian))
id 1Db0yk-0007TG-00; Wed, 25 May 2005 11:51:42 -0700
Received: (qmail 12980 invoked from network); 25 May 2005 18:51:10 -0000
Received: from unknown (HELO localhost.localdomain) (10.100.105.92)
by mail.metnet.navy.mil with SMTP; 25 May 2005 18:51:10 -0000
Received: from andrew by localhost.localdomain with local (Exim 4.50)
id 1Db0yE-0000MO-FX; Wed, 25 May 2005 11:51:10 -0700
Date: Wed, 25 May 2005 11:51:10 -0700
From: Andrew Pimlott <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: davfs2: doesn't enforce permissions
Message-ID: <[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Reportbug-Version: 3.12
User-Agent: Mutt/1.5.9i
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Status: No, hits=-8.0 required=4.0 tests=BAYES_00,HAS_PACKAGE
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-Spam-Level:
Package: davfs2
Version: 0.2.3-2
Severity: grave
Tags: security
Justification: user security hole
It appears that davfs2 does not enforce unix permissions. I just
mounted a DAV share as root. When I list permissions in the root of the
mount, I see
% ls -ld .
drwxr-xr-x 1 root root 512 2005-05-25 11:43 .
% ls -l
total 950
-rwxr-xr-x 0 root root 6 2005-05-25 11:43 file
drwxr-xr-x 1 root root 512 2005-05-10 05:18 dir
However, as a regular user, I can create and modify files with no
restrictions. For example "touch foo" and "echo hello > file" both work
fine. I also tried mounting with mode=0700, and nothing changed, not
even the permissions displayed. So it appears that there is no way to
restrict access to the mounted DAV share.
Also, on a possibly related note, I see that if I create a file with
"touch foo", foo has the permissions
-rw-rw-r-- 0 root root 0 2005-05-25 11:48 foo
However, if I unmount and remount, then the permissions revent to
-rwxr-xr-x 0 root root 0 2005-05-25 11:48 foo
Andrew
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages davfs2 depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libneon24 0.24.7.dfsg-2 An HTTP and WebDAV client library
ii libssl0.9.7 0.9.7g-1 SSL shared libraries
ii libxml2 2.6.16-7 GNOME XML library
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
---------------------------------------
Received: (at 310757-close) by bugs.debian.org; 8 Sep 2005 18:42:15 +0000
>From [EMAIL PROTECTED] Thu Sep 08 11:42:15 2005
Return-path: <[EMAIL PROTECTED]>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
id 1EDRBu-0002sD-00; Thu, 08 Sep 2005 11:32:06 -0700
From: Luciano Bello <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
X-Katie: $Revision: 1.56 $
Subject: Bug#310757: fixed in davfs2 0.2.4-1
Message-Id: <[EMAIL PROTECTED]>
Sender: Archive Administrator <[EMAIL PROTECTED]>
Date: Thu, 08 Sep 2005 11:32:06 -0700
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER
autolearn=no version=2.60-bugs.debian.org_2005_01_02
X-CrossAssassin-Score: 3
Source: davfs2
Source-Version: 0.2.4-1
We believe that the bug you reported is fixed in the latest version of
davfs2, which is due to be installed in the Debian FTP archive:
davfs2_0.2.4-1.diff.gz
to pool/main/d/davfs2/davfs2_0.2.4-1.diff.gz
davfs2_0.2.4-1.dsc
to pool/main/d/davfs2/davfs2_0.2.4-1.dsc
davfs2_0.2.4-1_i386.deb
to pool/main/d/davfs2/davfs2_0.2.4-1_i386.deb
davfs2_0.2.4.orig.tar.gz
to pool/main/d/davfs2/davfs2_0.2.4.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Luciano Bello <[EMAIL PROTECTED]> (supplier of updated davfs2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Mon, 1 Aug 2005 21:41:35 -0300
Source: davfs2
Binary: davfs2
Architecture: source i386
Version: 0.2.4-1
Distribution: unstable
Urgency: high
Maintainer: Luciano Bello <[EMAIL PROTECTED]>
Changed-By: Luciano Bello <[EMAIL PROTECTED]>
Description:
davfs2 - mount a WebDAV resource as a regular file system
Closes: 303533 310757 311286
Changes:
davfs2 (0.2.4-1) unstable; urgency=high
.
* New upstream version 0.2.4.
- Solve CAN-2005-1774 .Permit users to mount their owns resources,
considering the right permissions (closes: Bug#310757).
- Configuration is allocated in a config file.
- Support for SSL certificates.
* The source doesn't unnecessary build libraries any more.
* Support for URLs with spaces are included now (closes: Bug#311286).
* Support for kernels 2.4 and 2.6 through a script wrapper
(closes: Bug#303533).
Files:
a8d9bc7e674e40c1648420e3a38b0d0a 639 utils extra davfs2_0.2.4-1.dsc
f8f76634ddd7a26f0f277f86262887b6 141438 utils extra davfs2_0.2.4.orig.tar.gz
888cda19333b2a97f7f4569762fd417e 31024 utils extra davfs2_0.2.4-1.diff.gz
70cf1a0ccc14e7f809b77b898638545b 53652 utils extra davfs2_0.2.4-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDIH+25UTeB5t8Mo0RAnrHAJ0dw1H5Wwh5jyvm5iVcjT6XCRU2UgCbBliu
sBuymPE9xRNzop0VJtUWeKk=
=ryd5
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
