[Secure-testing-team] Bug#718184: strange /usr/lib/utempter/ subdir permissions
Michael Tokarev
mjt at tls.msk.ru
Sun Jul 28 14:29:45 UTC 2013
Package: libutempter0
Version: 1.1.5-4
Severity: normal
Tags: security
libutempter0 package contains a setgid helper binary, utempter, which
is supposed to be used to modify utmp records on behalf of "semi-privileged"
users. For this reason it is installed as setgid-utmp. And in order to
restrict who can run it, the binary is placed into a subdirectory which
is supposed to be accessible by members of a single group, also called
utempter. This is, at least, how I interpret this whole thing.
However, libutempter0 package goes on to set proper group for the
directory, but fails to set proper permissions, and the directory has
regular 0755 permissions, even if owned by utempter group.
So the "semi-privileged" part of the picture isn't enforced, and everyone
is able to run the sgid helper and apparently mess up with utmp records.
This is just my understanding, I might be wrong. But at any rate the
resulting setup is quite unusual - we should either enforce the
restrition (by removing "x" permission for "others" for this dir),
or stop shipping the helper in a subdirectory, putting it directly
into /usr/lib.
If the former, I think statoverride mechanism shuold be used for this,
instead of chgrp'ing the directory in postinst script.
Adding `security' tag because this issue has possible security implications.
Thanks,
/mjt
More information about the Secure-testing-team
mailing list