Secure testing team - Jun 2008 - Bug#484570: [motion] motion.conf world readable and thus writable through web interface by default

Package: motion
Version: 3.2.3-2.1
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team at lists.alioth.debian.org

Hi,
the default configuration file of motion is world-readable 
in default installations on Debian:
ls -l /etc/motion/motion.conf
-rw-r--r-- 1 root root 22085  5. Jun 00:49 /etc/motion/motion.conf

That basically makes the control_authentication which is 
used for http authentication useless as an attacker can read 
login credentials and then change the configuration to 
whatever he likes via the web interface of motion (for 
example switching off motion detection).

Kind regards
Nico

--- System information. ---
Architecture: amd64
Kernel:       Linux 2.6.24-1-amd64

Debian Release: lenny/sid
  500 unstable        debian.netcologne.de 

--- Package information. ---
Depends                          (Version) | Installed
==========================================-+-==================libavcodec51     
(>= 0.svn20080206) | 0.svn20080206-7
libavformat52           (>= 0.svn20080206) | 0.svn20080206-7
libavutil49             (>= 0.svn20080206) | 0.svn20080206-7
libc6                           (>= 2.7-1) | 2.7-12
libjpeg62                                  | 6b-14
libmysqlclient15off          (>= 5.0.27-1) | 5.0.51a-6
libpq5                      (>= 8.3~beta1) | 8.3.1-2+b1
debconf                          (>= 0.5)  | 1.5.22
 OR debconf-2.0                            | 
adduser                                    | 3.107
debconf                                    | 1.5.22


-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/14b79bc2/attachment.pgp

Hi Nico,

On Thursday 5 June 2008 01:41, Nico Golde wrote:
> That basically makes the control_authentication which is
> used for http authentication useless as an attacker can read
> login credentials and then change the configuration to
> whatever he likes via the web interface of motion (for
> example switching off motion detection).
As I understand it this is a fully optional feature not enabled by default. 
When such issues are reported to the stable security team we usually consider 
them to be a non-issue following this reasoning: when an administrator 
explicitly edits a config file to add credentials to it, that administrator 
should be considered capable enough to check whether the file is secured.

Many applications allow for optional secrets to be added, e.g. my Postfix 
main.cf has a SASL username & password, but we don''t require the
Postfix''
main.cf to be 0600 in a default installation. Normally we respond with this 
reasoning and advise the maintainer to add a comment right above the setting 
to remind the administrator of the file''s permissions.


Thijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 481 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/70de7fda/attachment.pgp

Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-06-05
08:56]:
> Hi Nico,
> 
> On Thursday 5 June 2008 01:41, Nico Golde wrote:
> > That basically makes the control_authentication which is
> > used for http authentication useless as an attacker can read
> > login credentials and then change the configuration to
> > whatever he likes via the web interface of motion (for
> > example switching off motion detection).
> 
> As I understand it this is a fully optional feature not enabled by default.
Yes.
> When such issues are reported to the stable security team we usually
consider
> them to be a non-issue following this reasoning: when an administrator 
> explicitly edits a config file to add credentials to it, that administrator
> should be considered capable enough to check whether the file is secured.
> 
> Many applications allow for optional secrets to be added, e.g. my Postfix 
> main.cf has a SASL username & password, but we don''t require
the Postfix''
> main.cf to be 0600 in a default installation. Normally we respond with this
> reasoning and advise the maintainer to add a comment right above the
setting
> to remind the administrator of the file''s permissions.
I have some problems to follow that because I fail to see 
why a normal user should be able to read that file even if 
no credentials are included. I''m not sure if assuming an 
admin is capable of noticing 644 rights and changing it to 
appropriate value is a good idea. I for myself would not expect
this in /etc (I may be not a good admin :). This is also
problematic as motion can log to different databases 
including the credentials for this as well in that file. 
However adding a note to the configuration file sounds like 
a good idea but the solution could be a lot simpler by 
changing the permissions.

Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/9e4a61fc/attachment.pgp

On Thu, June 5, 2008 10:25, Nico Golde wrote:
> I have some problems to follow that because I fail to see
> why a normal user should be able to read that file even if no credentials
> are included. I''m not sure if assuming an admin is capable of
noticing 644
> rights and changing it to appropriate value is a good idea. I for myself
> would not expect this in /etc (I may be not a good admin :). This is also
> problematic as motion can log to different databases including the
> credentials for this as well in that file. However adding a note to the
> configuration file sounds like a good idea but the solution could be a lot
> simpler by changing the permissions.
Wouldn''t that advocate to make nearly every file under /etc mode 0600,
since there''s just a minority of those that need to be read by users?
Everything from inetd, apache, postfix, network/interfaces, ...


Thijs

Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-06-05
10:44]:
> On Thu, June 5, 2008 10:25, Nico Golde wrote:
> > I have some problems to follow that because I fail to see
> > why a normal user should be able to read that file even if no
credentials
> > are included. I''m not sure if assuming an admin is capable of
noticing 644
> > rights and changing it to appropriate value is a good idea. I for
myself
> > would not expect this in /etc (I may be not a good admin :). This is
also
> > problematic as motion can log to different databases including the
> > credentials for this as well in that file. However adding a note to
the
> > configuration file sounds like a good idea but the solution could be a
lot
> > simpler by changing the permissions.
> 
> Wouldn''t that advocate to make nearly every file under /etc mode
0600,
> since there''s just a minority of those that need to be read by
users?
> Everything from inetd, apache, postfix, network/interfaces, ...
What is your argument against that? I think yes, for those 
who can include passwords this should be the case for the 
simple reason that this is the simplest solution for the 
problem.
I see absolutely no argument in not doing this and forcing admins 
to check file permissions by themselves. To come 
back to your sasl example I also think the situation is slightly 
different. Getting your sasl credentials you can send mails 
through your smtp gateway, getting the motion credentials 
enables you to completely change the complete configuration 
through the web interface.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/d091d734/attachment.pgp

On Thu, June 5, 2008 10:49, Nico Golde wrote:
> What is your argument against that? I think yes, for those
> who can include passwords this should be the case for the simple reason
> that this is the simplest solution for the problem.
I''m not principally oposed to that but I think in that case
we''d better
make it a policy change rather than to being filing RC bugs on any package
that could possibly have secrets in a configuration file.


Thijs

Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-06-05
11:35]:
> On Thu, June 5, 2008 10:49, Nico Golde wrote:
> > What is your argument against that? I think yes, for those
> > who can include passwords this should be the case for the simple
reason
> > that this is the simplest solution for the problem.
> 
> I''m not principally oposed to that but I think in that case
we''d better
> make it a policy change rather than to being filing RC bugs on any package
> that could possibly have secrets in a configuration file.
I submitted a wishlist bug against the policy for this. 
Though having a policy statement about this would also 
result in an RC bug if it''s violated :)

Thanks for your input!
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/e2b55488/attachment.pgp