[Secure-testing-team] Bug#593829: sabnzbdplus: sabnzbd.ini defaults to world-readable

P.M. van Aalten debian at vanaalten.net
Sat Aug 21 11:33:44 UTC 2010 

Package: sabnzbdplus
Version: 0.5.3-1
Severity: grave
Tags: security
Justification: user security hole

After installing sabnzbdplus and configuring it, I found out that the main configuration file for sabnzbdplus is world-readable (it can be found in $HOME/.sabnzbd/sabnzbd.ini).
This config file contains my sabnzbd access password (which I could have chosen the same as my login password...) as well as my E-mail user name & password - all in plain text. Since this file is world-readable (644), these logins are available to everyone with access to the file.

A user can manually change this - setting it to 600 seems to work fine in my case - but someone 'just installing the package' may forget about this.

Unfortunately this file is not part of the list of files that gets installed - it is generated by sabnzbd itself at first startup. So it is not simply a matter of adding a chmod to the postinst file.
What I propose is to modify the init script (pseudocode):
if CONFIG in /etc/default/sabnzbdplus is set:
  touch $CONFIG		# well, maybe only if it didn't exist yet
  chmod 600 $CONFIG	# perhaps switchable in case one WANTS it world/group readable
else
  touch /home/$USER/.sabnzbd/sabnzbd.ini	# maybe not referring to /home
  chmod 600 /home/$USER/.sabnzbd/sabnzbd.ini

(perhaps some chown commands should be added to this as well)
(and perhaps only do this if the config file didn't exist yet, so effectively at first run)

This way, a (empty) config file with proper security settings will be generated at the right location before first use. Not the nicest solution, but the best I can think of.

This issue seems to have been discussed already at sabnzbd forum - the conclusion was something like "the usenet password already is plain text, therefore no use hiding the user password - best is to simply change the ini file security settings". That's what I try to accomplish automatically with the proposal above.

Regards,
Matthijs



-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages sabnzbdplus depends on:
ii  python                        2.6.5-11   interactive high-level object-orie
ii  python-cheetah                2.4.2.1-1  text-based template engine and Pyt
ii  python-configobj              4.7.2+ds-1 simple but powerful config file re
ii  python-feedparser             4.1-14     Universal Feed Parser for Python
ii  python-support                1.0.9      automated rebuilding support for P
ii  sabnzbdplus-theme-smpl        0.5.3-1    smpl interface templates for the S

Versions of packages sabnzbdplus recommends:
ii  par2                     0.4-11          Parity Archive Volume Set, for che
ii  python-openssl           0.10-1          Python wrapper around the OpenSSL 
ii  python-yenc              0.3+debian-2+b1 yEnc encoding/decoding extension f
ii  rar                      2:3.9.3-1       Archiver for .rar files
ii  sabnzbdplus-theme-classi 0.5.3-1         classic interface templates for th
ii  sabnzbdplus-theme-plush  0.5.3-1         plush interface templates for the 
ii  unrar                    1:3.8.5-1       Unarchiver for .rar files (non-fre
ii  unzip                    6.0-4           De-archiver for .zip files

Versions of packages sabnzbdplus suggests:
pn  python-dbus                   <none>     (no description available)
pn  sabnzbdplus-theme-mobile      <none>     (no description available)

-- Configuration Files:
/etc/default/sabnzbdplus changed:
USER=sabnzbd
CONFIG=
HOST=192.168.1.3
PORT=7070
EXTRAOPTS=


-- no debconf information

More information about the Secure-testing-team mailing list