[Popcon-developers] Bug#414644: popularity-contest: HOME=/tmp is
not a good idea
Bill Allombert
Bill.Allombert at math.u-bordeaux1.fr
Tue Mar 13 22:31:27 CET 2007
severity 414644 serious
quit
On Tue, Mar 13, 2007 at 12:39:08AM +0100, Robert Luberda wrote:
> Package: popularity-contest
> Version: 1.40
> Severity: important
> Tags: security, patch
>
> Hi,
>
> The popularity-contest's weekly cron job sets HOME to /tmp before
> generating the popularity raport. By doing that it tries to avoid dpkg
> failures on unreadable /root/.dpkg.cfg file.
> However /tmp is world-writeable, so any user can create /tmp/.dpkg.cfg
> and make it unreadable for others thus causing dpkg to generate
> "failed to open config file" warning.
>
> Patch:
> - set HOME to e.g. /nonexistent
> or
> - don't pass the `-p' option to su
Actually this is worse than that, the user can add various options to
dpkg in that file that will then be used by dpkg.
I am evaluating the following patch (which do the later of your
proposals.
Cheers,
--
Bill. <ballombe at debian.org>
Imagine a large blue swirl here.
Index: debian/cron.weekly
===================================================================
RCS file: /cvsroot/popcon/popularity-contest/debian/cron.weekly,v
retrieving revision 1.18
diff -u -r1.18 cron.weekly
--- debian/cron.weekly 7 Oct 2006 14:50:32 -0000 1.18
+++ debian/cron.weekly 13 Mar 2007 21:11:46 -0000
@@ -30,8 +30,7 @@
run_popcon()
{
- # Set HOME to avoid bug #212013.
- HOME=/tmp su -pc "sh -c /usr/sbin/popularity-contest" nobody
+ su -c "sh -c /usr/sbin/popularity-contest" nobody
}
do_sendmail()
More information about the Popcon-developers
mailing list