Adduser devel - Oct 2005 - Bug#331720: adduser: deluser --backup creates world readable file

Package: adduser
Version: 3.63
Severity: normal
File: /usr/sbin/deluser

When making a backup with deluser, the resulting file is created like
any other file made by root, and with my umask of 022 it is world
readable.

This is bad since then everybody who get hold of it has access to the
old users files if the administrator does not take care to store the
backup in some safe place.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                 1.4.30.13        Debian configuration management sy
ii  passwd                  1:4.0.3-31sarge5 change and administer password and
ii  perl-base               5.8.4-8          The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: true

tags #331720 confirmed
user adduser@packages.debian.org
usertags #331720 valid-bug joerg-assigned
thanks

On Wed, Oct 05, 2005 at 12:04:29AM +0200, Martin Geisler
wrote:
> When making a backup with deluser, the resulting file is created like
> any other file made by root, and with my umask of 022 it is world
> readable.
Ouch.
> This is bad since then everybody who get hold of it has access to the
> old users files if the administrator does not take care to store the
> backup in some safe place.
You''re absolutely right. This will be fixed. Do you think that a
hardcoded root:root 600 is fine, or does that need to be configuable?

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don''t trust Computers. They | Mailadresse
im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835

Processing commands for control@bugs.debian.org:
> tags #331720 confirmed
Bug#331720: adduser: deluser --backup creates world readable file
There were no tags set.
Tags added: confirmed
> user adduser@packages.debian.org
Setting user to adduser@packages.debian.org (was
mh+debian-packages@zugschlus.de).
> usertags #331720 valid-bug joerg-assigned
There were no usertags set.
Usertags are now: valid-bug joerg-assigned.
> thanks
Stopping processing here.

Please contact me if you need assistance.

Debian bug tracking system administrator
(administrator, Debian Bugs database)

Your message dated Sun, 23 Oct 2005 13:47:11 -0700
with message-id <E1ETmkJ-0000nA-00@spohr.debian.org>
and subject line Bug#331720: fixed in adduser 3.77
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--------------------------------------
Received: (at submit) by bugs.debian.org; 4 Oct 2005 22:05:22
+0000
>From mgeisler@mgeisler.net Tue Oct 04 15:05:22 2005
Return-path: <mgeisler@mgeisler.net>
Received: from mail11.bluewin.ch [195.186.18.61] 
	by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
	id 1EMuuY-0007Qx-00; Tue, 04 Oct 2005 15:05:22 -0700
Received: from futtelifut.dyndns.org (83.79.56.155) by mail11.bluewin.ch
(Bluewin 7.2.063)
        id 433ABA2E0014910B for submit@bugs.debian.org; Tue, 4 Oct 2005 22:04:50
+0000
Received: from mg by futtelifut.dyndns.org with local (Exim 4.50)
	id 1EMuth-0003h7-Pb
	for submit@bugs.debian.org; Wed, 05 Oct 2005 00:04:29 +0200
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: adduser: deluser --backup creates world readable file
X-Debbugs-CC: Martin Geisler <mgeisler@mgeisler.net>
Message-Id: <E1EMuth-0003h7-Pb@futtelifut.dyndns.org>
From: Martin Geisler <mgeisler@mgeisler.net>
Date: Wed, 05 Oct 2005 00:04:29 +0200
Delivered-To: submit@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
	X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02

Package: adduser
Version: 3.63
Severity: normal
File: /usr/sbin/deluser

When making a backup with deluser, the resulting file is created like
any other file made by root, and with my umask of 022 it is world
readable.

This is bad since then everybody who get hold of it has access to the
old users files if the administrator does not take care to store the
backup in some safe place.

-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages adduser depends on:
ii  debconf                 1.4.30.13        Debian configuration management sy
ii  passwd                  1:4.0.3-31sarge5 change and administer password and
ii  perl-base               5.8.4-8          The Pathologically Eclectic Rubbis

-- debconf information:
* adduser/homedir-permission: true

---------------------------------------
Received: (at 331720-close) by bugs.debian.org; 23 Oct 2005 20:49:48
+0000
>From katie@spohr.debian.org Sun Oct 23 13:49:48 2005
Return-path: <katie@spohr.debian.org>
Received: from katie by spohr.debian.org with local (Exim 3.36 1 (Debian))
	id 1ETmkJ-0000nA-00; Sun, 23 Oct 2005 13:47:11 -0700
From: Marc Haber <mh+debian-packages@zugschlus.de>
To: 331720-close@bugs.debian.org
X-Katie: $Revision: 1.56 $
Subject: Bug#331720: fixed in adduser 3.77
Message-Id: <E1ETmkJ-0000nA-00@spohr.debian.org>
Sender: Archive Administrator <katie@spohr.debian.org>
Date: Sun, 23 Oct 2005 13:47:11 -0700
Delivered-To: 331720-close@bugs.debian.org
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02 
	(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level: 
X-Spam-Status: No, hits=-6.0 required=4.0 tests=BAYES_00,HAS_BUG_NUMBER 
	autolearn=no version=2.60-bugs.debian.org_2005_01_02

Source: adduser
Source-Version: 3.77

We believe that the bug you reported is fixed in the latest version of
adduser, which is due to be installed in the Debian FTP archive:

adduser_3.77.dsc
  to pool/main/a/adduser/adduser_3.77.dsc
adduser_3.77.tar.gz
  to pool/main/a/adduser/adduser_3.77.tar.gz
adduser_3.77_all.deb
  to pool/main/a/adduser/adduser_3.77_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 331720@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Marc Haber <mh+debian-packages@zugschlus.de> (supplier of updated adduser
package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 23 Oct 2005 18:41:21 +0000
Source: adduser
Binary: adduser
Architecture: source all
Version: 3.77
Distribution: unstable
Urgency: low
Maintainer: Debian Adduser Developers
<adduser-devel@lists.alioth.debian.org>
Changed-By: Marc Haber <mh+debian-packages@zugschlus.de>
Description: 
 adduser    - Add and remove users and groups
Closes: 331720
Changes: 
 adduser (3.77) unstable; urgency=low
 .
   [ Marc Haber ]
   * call make -C po update clean in debian/rules clean.
     Thanks to Eduard Bloch. (mh)
   * invoke debconf-updatepo and po4a in clean target.
     Thanks to Thomas Huriaux. (mh)
 .
   [ Joerg Hoh ]
   * fixed bug in deluser which made not specified parameters valid
   * backup files for users have a mask of 600 and ownership is set to root
     only (Closes: #331720)
Files: 
 9f203c4f5345d3f32a600bffda89d15b 643 admin important adduser_3.77.dsc
 aab3fd55351135469eba93b4f3c04292 151416 admin important adduser_3.77.tar.gz
 0f402bca822ad859a6913156141e4647 81740 admin important adduser_3.77_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iEYEARECAAYFAkNb2zYACgkQgZalRGu6PITqDACfQuAOStCkCUf1mxFYyfBKQf6C
NtMAoIWJzvX25nHwqtRG3d7USLtrO2lw
=mkVy
-----END PGP SIGNATURE-----