Santiago Vila [2005-03-11 13:39 +0100]:
> In this report, the submitter complains about /usr/local/bin being in
> the PATH by default at the same time directories under /usr/local are
> root:staff and world-writable. His complain is based on the existence
> of become-any-group-but-root bugs.
>=20
> If this is a bug at all, I think we should probably drop the root:staff
> thing instead of changing the default PATH. So: Would anyone here
> second the following patch, if it were a policy proposal?
>=20
> diff -ru debian-policy-3.6.1.1.orig/policy.sgml debian-policy-3.6.1.1/pol=
icy.sgml
> --- debian-policy-3.6.1.1.orig/policy.sgml 2004-06-25 23:11:36.000000000 =
+0200
> +++ debian-policy-3.6.1.1/policy.sgml 2005-03-11 13:25:27.000000000 +0100
> @@ -5062,8 +5062,8 @@
> then
> if mkdir /usr/local/share/emacs 2>/dev/null
> then
> - chown root:staff /usr/local/share/emacs
> - chmod 2775 /usr/local/share/emacs
> + chown root:root /usr/local/share/emacs
> + chmod 755 /usr/local/share/emacs
> fi
> fi
> </example>
> @@ -5095,8 +5095,8 @@
> <p>
> The <file>/usr/local</file> directory itself and all the
> subdirectories created by the package should (by default) have
> - permissions 2775 (group-writable and set-group-id) and be
> - owned by <tt>root.staff</tt>.
> + permissions 755 and be
> + owned by <tt>root:root</tt>.
> </p>
> </sect1>
I wholeheartedly agree and second this proposal. Also, /home should be
root:root 0755 instead of root:staff 2775; it is only confusing and
actually does not do anything useful.
Message-ID: <email address hidden>
Date: Fri, 11 Mar 2005 15:26:16 +0100
From: Martin Pitt <email address hidden>
To: Santiago Vila <email address hidden>
Cc: <email address hidden>, Paul Szabo <email address hidden>
Subject: Re: Bug#299007: base-files: Insecure PATH
--EVF5PPMfhYS0aIcm Disposition: inline Transfer- Encoding: quoted-printable
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
Santiago Vila [2005-03-11 13:39 +0100]: any-group- but-root bugs. policy- 3.6.1.1. orig/policy. sgml debian- policy- 3.6.1.1/ pol= policy- 3.6.1.1. orig/policy. sgml 2004-06-25 23:11:36.000000000 = policy- 3.6.1.1/ policy. sgml 2005-03-11 13:25:27.000000000 +0100 share/emacs 2>/dev/null share/emacs share/emacs share/emacs share/emacs usr/local< /file> directory itself and all the staff</ tt>.
> In this report, the submitter complains about /usr/local/bin being in
> the PATH by default at the same time directories under /usr/local are
> root:staff and world-writable. His complain is based on the existence
> of become-
>=20
> If this is a bug at all, I think we should probably drop the root:staff
> thing instead of changing the default PATH. So: Would anyone here
> second the following patch, if it were a policy proposal?
>=20
> diff -ru debian-
icy.sgml
> --- debian-
+0200
> +++ debian-
> @@ -5062,8 +5062,8 @@
> then
> if mkdir /usr/local/
> then
> - chown root:staff /usr/local/
> - chmod 2775 /usr/local/
> + chown root:root /usr/local/
> + chmod 755 /usr/local/
> fi
> fi
> </example>
> @@ -5095,8 +5095,8 @@
> <p>
> The <file>/
> subdirectories created by the package should (by default) have
> - permissions 2775 (group-writable and set-group-id) and be
> - owned by <tt>root.
> + permissions 755 and be
> + owned by <tt>root:root</tt>.
> </p>
> </sect1>
I wholeheartedly agree and second this proposal. Also, /home should be
root:root 0755 instead of root:staff 2775; it is only confusing and
actually does not do anything useful.
Martin
--=20 www.piware. de www.ubuntulinux .org www.debian. org
Martin Pitt http://
Ubuntu Developer http://
Debian GNU/Linux Developer http://
--EVF5PPMfhYS0aIcm pgp-signature; name="signature .asc" Description: Digital signature Disposition: inline
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
nbV4Fd/ IRAqhFAJ0Q78Bxl SVW/2ObLManMAVx xeK37ACdEzlb GhcZrD00=
Version: GnuPG v1.2.5 (GNU/Linux)
iD8DBQFCMaqHDec
PjLMdvz0Z4l0IPC
=5kCq
-----END PGP SIGNATURE-----
--EVF5PPMfhYS0a Icm--