Martin Geisler
2005-Oct-04 22:18 UTC
Bug#331720: adduser: deluser --backup creates world readable file
Package: adduser Version: 3.63 Severity: normal File: /usr/sbin/deluser When making a backup with deluser, the resulting file is created like any other file made by root, and with my umask of 022 it is world readable. This is bad since then everybody who get hold of it has access to the old users files if the administrator does not take care to store the backup in some safe place. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages adduser depends on: ii debconf 1.4.30.13 Debian configuration management sy ii passwd 1:4.0.3-31sarge5 change and administer password and ii perl-base 5.8.4-8 The Pathologically Eclectic Rubbis -- debconf information: * adduser/homedir-permission: true
Marc Haber
2005-Oct-22 10:03 UTC
[Adduser-devel] Bug#331720: adduser: deluser --backup creates world readable file
tags #331720 confirmed user adduser@packages.debian.org usertags #331720 valid-bug joerg-assigned thanks On Wed, Oct 05, 2005 at 12:04:29AM +0200, Martin Geisler wrote:> When making a backup with deluser, the resulting file is created like > any other file made by root, and with my umask of 022 it is world > readable.Ouch.> This is bad since then everybody who get hold of it has access to the > old users files if the administrator does not take care to store the > backup in some safe place.You''re absolutely right. This will be fixed. Do you think that a hardcoded root:root 600 is fine, or does that need to be configuable? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don''t trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835
Debian Bug Tracking System
2005-Oct-22 10:03 UTC
[Adduser-devel] Processed: Re: Bug#331720: adduser: deluser --backup creates world readable file
Processing commands for control@bugs.debian.org:> tags #331720 confirmedBug#331720: adduser: deluser --backup creates world readable file There were no tags set. Tags added: confirmed> user adduser@packages.debian.orgSetting user to adduser@packages.debian.org (was mh+debian-packages@zugschlus.de).> usertags #331720 valid-bug joerg-assignedThere were no usertags set. Usertags are now: valid-bug joerg-assigned.> thanksStopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database)
Debian Bug Tracking System
2005-Oct-23 21:03 UTC
[Adduser-devel] Bug#331720: marked as done (adduser: deluser --backup creates world readable file)
Your message dated Sun, 23 Oct 2005 13:47:11 -0700 with message-id <E1ETmkJ-0000nA-00@spohr.debian.org> and subject line Bug#331720: fixed in adduser 3.77 has caused the attached Bug report to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database) -------------------------------------- Received: (at submit) by bugs.debian.org; 4 Oct 2005 22:05:22 +0000>From mgeisler@mgeisler.net Tue Oct 04 15:05:22 2005Return-path: <mgeisler@mgeisler.net> Received: from mail11.bluewin.ch [195.186.18.61] by spohr.debian.org with esmtp (Exim 3.36 1 (Debian)) id 1EMuuY-0007Qx-00; Tue, 04 Oct 2005 15:05:22 -0700 Received: from futtelifut.dyndns.org (83.79.56.155) by mail11.bluewin.ch (Bluewin 7.2.063) id 433ABA2E0014910B for submit@bugs.debian.org; Tue, 4 Oct 2005 22:04:50 +0000 Received: from mg by futtelifut.dyndns.org with local (Exim 4.50) id 1EMuth-0003h7-Pb for submit@bugs.debian.org; Wed, 05 Oct 2005 00:04:29 +0200 To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: adduser: deluser --backup creates world readable file X-Debbugs-CC: Martin Geisler <mgeisler@mgeisler.net> Message-Id: <E1EMuth-0003h7-Pb@futtelifut.dyndns.org> From: Martin Geisler <mgeisler@mgeisler.net> Date: Wed, 05 Oct 2005 00:04:29 +0200 Delivered-To: submit@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE, X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02 Package: adduser Version: 3.63 Severity: normal File: /usr/sbin/deluser When making a backup with deluser, the resulting file is created like any other file made by root, and with my umask of 022 it is world readable. This is bad since then everybody who get hold of it has access to the old users files if the administrator does not take care to store the backup in some safe place. -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.8 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages adduser depends on: ii debconf 1.4.30.13 Debian configuration management sy ii passwd 1:4.0.3-31sarge5 change and administer password and ii perl-base 5.8.4-8 The Pathologically Eclectic Rubbis -- debconf information: * adduser/homedir-permission: true --------------------------------------- Received: (at 331720-close) by bugs.debian.org; 23 Oct 2005 20:49:48 +0000>From katie@spohr.debian.org Sun Oct 23 13:49:48 2005Return-path: <katie@spohr.debian.org> Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian)) id 1ETmkJ-0000nA-00; Sun, 23 Oct 2005 13:47:11 -0700 From: Marc Haber <mh+debian-packages@zugschlus.de> To: 331720-close@bugs.debian.org X-Katie: $Revision: 1.56 $ Subject: Bug#331720: fixed in adduser 3.77 Message-Id: <E1ETmkJ-0000nA-00@spohr.debian.org> Sender: Archive Administrator <katie@spohr.debian.org> Date: Sun, 23 Oct 2005 13:47:11 -0700 Delivered-To: 331720-close@bugs.debian.org X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 (1.212-2003-09-23-exp) on spohr.debian.org X-Spam-Level: X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER autolearn=no version=2.60-bugs.debian.org_2005_01_02 Source: adduser Source-Version: 3.77 We believe that the bug you reported is fixed in the latest version of adduser, which is due to be installed in the Debian FTP archive: adduser_3.77.dsc to pool/main/a/adduser/adduser_3.77.dsc adduser_3.77.tar.gz to pool/main/a/adduser/adduser_3.77.tar.gz adduser_3.77_all.deb to pool/main/a/adduser/adduser_3.77_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 331720@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated adduser package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.7 Date: Sun, 23 Oct 2005 18:41:21 +0000 Source: adduser Binary: adduser Architecture: source all Version: 3.77 Distribution: unstable Urgency: low Maintainer: Debian Adduser Developers <adduser-devel@lists.alioth.debian.org> Changed-By: Marc Haber <mh+debian-packages@zugschlus.de> Description: adduser - Add and remove users and groups Closes: 331720 Changes: adduser (3.77) unstable; urgency=low . [ Marc Haber ] * call make -C po update clean in debian/rules clean. Thanks to Eduard Bloch. (mh) * invoke debconf-updatepo and po4a in clean target. Thanks to Thomas Huriaux. (mh) . [ Joerg Hoh ] * fixed bug in deluser which made not specified parameters valid * backup files for users have a mask of 600 and ownership is set to root only (Closes: #331720) Files: 9f203c4f5345d3f32a600bffda89d15b 643 admin important adduser_3.77.dsc aab3fd55351135469eba93b4f3c04292 151416 admin important adduser_3.77.tar.gz 0f402bca822ad859a6913156141e4647 81740 admin important adduser_3.77_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iEYEARECAAYFAkNb2zYACgkQgZalRGu6PITqDACfQuAOStCkCUf1mxFYyfBKQf6C NtMAoIWJzvX25nHwqtRG3d7USLtrO2lw =mkVy -----END PGP SIGNATURE-----