[Secure-testing-team] Bug#745578: virtualenwrapper: Insecure default permissions for ~/.virtualenvs and scripts
Simon Ruderich
simon at ruderich.org
Tue Apr 22 23:34:10 UTC 2014
Package: virtualenwrapper
Severity: important
Tags: security
Hello,
virtualenwrapper creates ~/.virtualenvs and the scripts stored
therein with 0775 as permissions. This is a security
vulnerability for multi-user systems where more than one user is
in the same group.
The problematic part is (at least) in user_scripts.py:
PERMISSIONS = stat.S_IRWXU | stat.S_IRWXG | stat.S_IROTH | stat.S_IXOTH
This should be changed to S_IRGRP.
Because the directory ~/.virtualenvs is created per default when
using bash-completions (at least in Debian Wheezy), this affects
many users.
Regards
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20140423/17a34eec/attachment.sig>
More information about the Secure-testing-team
mailing list