[Popcon-developers] Bug#292163: Wrong permissions on /etc/popularity-contest.conf
Bill Allombert
Bill Allombert <allomber@math.u-bordeaux.fr>, 292163@bugs.debian.org
Fri, 18 Feb 2005 01:14:19 +0100
On Tue, Jan 25, 2005 at 03:12:46PM +0100, Thomas Wana wrote:
> Package: popularity-contest
> Version: 1.26
> Severity: minor
>
> Hi,
>
> the FAQ states:
>
> Q) What are the privacy consideration for popularity-contest ?
>
> A) Each popularity-contest host is identified by a random 128bit uuid
> (MY_HOSTID in /etc/popularity-contest). This uuid is used to track
> submission issued by the same host. It should be kept secret.
>
> Indeed, the permissions on /etc/popularity-contest.conf (this is a typo
> btw. in the FAQ) are:
Oh, thanks.
>
> neptun:~# ls -l /etc/popularity-contest.conf
> -rw-r--r-- 1 root root 357 Jan 25 15:04 /etc/popularity-contest.conf
>
> which makes it world readable. The permissions should be adjusted.
Hello Thomas,
If you can read /etc/popularity-contest.conf, you can certainly read
/var/lib/dpkg/status which contains mostly the same data as the
popcon report. Also you can read the IP adress, the ethernet MAC
address, etc. to track the box.
Given that, knowing the MY_HOSTID should not make any difference.
To be honest, it would require lots of change to support a
/etc/popularity-contest.conf not world readable, so I
would prefer to get away with an update to the FAQ :).
Cheers,
--
Bill. <ballombe@debian.org>
Imagine a large red swirl here.