Your message dated Mon, 04 Apr 2011 21:33:23 +0000
with message-id <e1q6rol-00074h...@franck.debian.org>
and subject line Bug#620304: fixed in tmux 1.4-6
has caused the Debian Bug report #620304,
regarding tmux: Incorrect dropping of privileges allows users to obtain utmp
group privileges
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
620304: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=620304
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: tmux
Version: 1.3-2
Severity: important
When running tmux with -S (specify custom socket path), the utmp
group privileges will not be dropped but inherited to any shells running
within tmux.
While /bin/bash gets kind of confused, strangely skips loading
/etc/profile, ~/.bashrc etc. and also drops the utmp privileges on its
own, using /bin/dash, for instance, allows to illustrate the issue:
1. run "SHELL=/bin/sh tmux -S whatever"
2. run "id" inside tmux
3. observe egid=43(utmp)
The problem is apparently introduced by 03_proper_socket_handling.diff
and 04_dropping_unnecessary_privileges.diff. The incorrectly placed call
to setresgid() in is not reached when a custom socket path is used.
-- System Information:
Debian Release: 6.0.1
APT prefers squeeze-updates
APT policy: (500, 'squeeze-updates'), (500, 'stable')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages tmux depends on:
ii libc6 2.11.2-10 Embedded GNU C Library: Shared lib
ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification
ii libncurses5 5.7+20100313-5 shared libraries for terminal hand
tmux recommends no packages.
tmux suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: tmux
Source-Version: 1.4-6
We believe that the bug you reported is fixed in the latest version of
tmux, which is due to be installed in the Debian FTP archive:
tmux_1.4-6.debian.tar.gz
to main/t/tmux/tmux_1.4-6.debian.tar.gz
tmux_1.4-6.dsc
to main/t/tmux/tmux_1.4-6.dsc
tmux_1.4-6_amd64.deb
to main/t/tmux/tmux_1.4-6_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 620...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Karl Ferdinand Ebert <kfeb...@gmail.com> (supplier of updated tmux package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 03 Apr 2011 18:28:42 +0200
Source: tmux
Binary: tmux
Architecture: source amd64
Version: 1.4-6
Distribution: unstable
Urgency: high
Maintainer: Karl Ferdinand Ebert <kfeb...@gmail.com>
Changed-By: Karl Ferdinand Ebert <kfeb...@gmail.com>
Description:
tmux - terminal multiplexer
Closes: 620304
Changes:
tmux (1.4-6) unstable; urgency=high
.
* Fix "Incorrect dropping of privileges allows users to obtain utmp
group privileges" by adjusting patch 04_drop_unnecessary_privileges.diff
to drop privileges at the caller side (Closes: #620304).
Checksums-Sha1:
c2bbf3d964d10fd144244e4c78b30ec3338789cb 1201 tmux_1.4-6.dsc
dff84c66ed2807352b3c132a809b3a55caa7bc07 11369 tmux_1.4-6.debian.tar.gz
8dc266cc2a21610b8d2797073327437f5d388d5e 237088 tmux_1.4-6_amd64.deb
Checksums-Sha256:
98ce70c830c5f476c6ad383cc42b0075e4a0152df7f91ffba7cd7f01d2836f47 1201
tmux_1.4-6.dsc
472038c1511037dabf2b75315235462aa0466b97a1d1839b3d31533f706f323a 11369
tmux_1.4-6.debian.tar.gz
2291036b21af6cbec8615d2235f797b5d62667554428d195b3cc171e19943158 237088
tmux_1.4-6_amd64.deb
Files:
4314e786e11e5999eb35069433243a5a 1201 admin optional tmux_1.4-6.dsc
0beee9320d0481914fcbe85a0cd18126 11369 admin optional tmux_1.4-6.debian.tar.gz
1622ac3324457c68a948e30b6bb1a71f 237088 admin optional tmux_1.4-6_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iD8DBQFNmi7UogN2vsA8Vt8RAoCWAJ0a28Gf06CsDYQZ8XdjFYoSdpO4NwCgsh14
4oXbigDAhsh0r/rLKFL5yV8=
=jCP+
-----END PGP SIGNATURE-----
--- End Message ---
