[Pkg-zope-developers] Bug#313644: zope2.7: Local security bug

martin f krafft martin f krafft <madduck@debian.org>, 313644@bugs.debian.org
Tue, 14 Jun 2005 22:30:05 +0200 

--gKMricLos+KVdGMg
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

tags 313644 + patch security
severity 313644 important
thanks

Please try this patch:

--- /usr/lib/zope2.7/bin/mkzopeinstance.py.orig  2005-06-14 22:28:04.538426=
375 +0200
+++ /usr/lib/zope2.7/bin/mkzopeinstance.py 2005-06-14 22:23:28.145889036 +0=
200
@@ -147,7 +147,7 @@
          print 'User/password not updated, since file '+inituser+' exists.'
     else:
          if user and password:
-             write_inituser(inituser, user, password)
+             write_inituser(inituser, user, password, uid, gid)
=20
=20
 def usage(stream, msg=3DNone):
@@ -190,14 +190,17 @@
             print "Password mismatch, please try again..."
     return user, passwd
=20
-def write_inituser(fn, user, password):
+def write_inituser(fn, user, password, uid=3DNone, gid=3DNone):
     import binascii
     import sha
     fp =3D open(fn, "w")
     pw =3D binascii.b2a_base64(sha.new(password).digest())[:-1]
     fp.write('%s:{SHA}%s\n' % (user, pw))
     fp.close()
-    os.chmod(fn, 0644)
+    os.chmod(fn, 0640)
+    if uid is None: uid =3D fstat(fp.fileno())[4]
+    if gid is None: gid =3D fstat(fp.fileno())[5]
+    os.chown(fn, uid, gid)
=20
 if __name__ =3D=3D "__main__":
     main()

--=20
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, user, and author
`. `'`
  `-  Debian - when you have better things to do than fixing a system
=20
Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
=20
"arthur slapped his arms about himself to try and get his
 circulation a little more enthusiastic about its job."
                                 -- hitchhiker's guide to the galaxy

--gKMricLos+KVdGMg
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFCrz5NIgvIgzMMSnURAu8OAJ4m5f9psgyEWXQSww18f0eeZ8gyAQCfcprm
NnCq+8Kuv6LHirJIqyJz6fU=
=MHAe
-----END PGP SIGNATURE-----

--gKMricLos+KVdGMg--