Matthijs Kooijman
2008-Sep-30 16:28 UTC
[Secure-testing-team] Bug#500707: Does not run as the maradns user/group
Package: maradns Version: 1.3.07.08-1 Severity: important Tags: security Hi, I noticed that maradns does not properly update it''s configuration to run as the user "maradns". This results in the default configuration remaining active, which is running as uid 65534 and gid 99. The former should be the user "nobody" on all Debian systems AFAIK, but I think the latter is usually not a valid user. Running maradns with these credentials consitutes a security problem, however, I do not think this is directly exploitable. Hence, I''m marking this as important. There is code in the postinst script to take care of this. The code is supposed to change the uid/gid config directives to the uid and gid of the "maradns" user and group, also created by the postinst script. However, this only happens when postinst is called with the "install" argument, which never happens according to the Policy Manual [1]. The "install" argument is only passed to the preinst script, AFAICS. I can reproduce this problem on two seperate systems, one running sid and one running lenny. I hope a fixed version can still be included in lenny. Gr. Matthijs [1]: http://www.debian.org/doc/debian-policy/ch-maintainerscripts.html -- System Information: Debian Release: lenny/sid APT prefers unstable APT policy: (500, ''unstable''), (500, ''stable''), (1, ''experimental'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.27-rc2-wl-35635-gf8895ad (PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages maradns depends on: ii adduser 3.110 add and remove users and groups ii libc6 2.7-13 GNU C Library: Shared libraries maradns recommends no packages. maradns suggests no packages. -- no debconf information