term.log is world readable and shouldn't be

This appears to be a regression in precise. lucid has these files as
600.

This was introduced in Oneiric, as the fix for bug 404724

Michael, is there any way to exclude the shell being logged in term.log?

Hey Marc, unfortunately not AFAICT. It will simply log everything on the pty that dpkg runs on. We could make it 0640 root.adm as a middle ground maybe?

Yeah, that would be acceptable I think. Elmo?

Marc Deslauriers <email address hidden> writes:

> Yeah, that would be acceptable I think. Elmo?

It's better than what we have now, so, sure.

--
James

Bzr bundle with a fix, note that the apt.postinst needs version number adjustment of course.

This still doesn't seem to be fixed. Has there been any progress on it?

@Jamie: sorry, this slipped my attention. If you agree with the direction in the bzr bundle I'm happy to prepare debdiffs for precise, quantal with the fix.

It looks good to me, though I'm guessing the version check in postinst might need to be adjusted?

I adjusted the version checks in the postinst now, this should be ok now (but double check of course welcome!).

This is CVE-2012-0961

This bug was fixed in the package apt - 0.8.16~exp12ubuntu10.7

---------------
apt (0.8.16~exp12ubuntu10.7) precise-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:38:12 +0100

This bug was fixed in the package apt - 0.9.7.5ubuntu5.2

---------------
apt (0.9.7.5ubuntu5.2) quantal-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:46:44 +0100

This bug was fixed in the package apt - 0.8.16~exp5ubuntu13.6

---------------
apt (0.8.16~exp5ubuntu13.6) oneiric-security; urgency=low

  * SECURITY UPDATE: change permissions of
    /var/log/apt/term.log to 0640 (LP: #975199)
    - CVE-2012-0961
 -- Michael Vogt <email address hidden> Tue, 04 Dec 2012 15:27:51 +0100

This bug was fixed in the package apt - 0.9.7.6ubuntu6

---------------
apt (0.9.7.6ubuntu6) raring; urgency=low

  * merged from the debian-sid branch

  [ Program translation updates ]
  * Catalan (Jordi Mallach)
  * Drop a confusing non-breaking space. Closes: #691024
  * Thai (Theppitak Karoonboonyanan). Closes: #691613
  * Vietnamese (Trần Ngọc Quân). Closes: #693773
  * Fix Plural forms in German, French, Japanese and Portuguese
    translations. Thanks to Jakub Wilk for reporting these errors.

  [ Michael Vogt ]
  * change permissions of /var/log/apt/term.log to 0640 (LP: #975199)
 -- Michael Vogt <email address hidden> Thu, 13 Dec 2012 09:14:54 +0100

Why does this log include user input in the first case? I can somewhat understand logging all output but why does the log include input also?

@Mikko: because when you get a conf file handling dialog, one of the options is to spawn a shell to manually correct the issue. That shell is in the same terminal, hence in the same log file.