[Secure-testing-team] Bug#890933: freeradius: File permissions allow access to sensitive information by "others"

Simon Boldinger simon at turnagile.com
Tue Feb 20 19:09:23 UTC 2018 

Package: freeradius
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

first of all, I already shared the following information with the debian
security team and they asked me to file this as a bug report: "I'm not why the
Debian packaging diverges, can you please file a bug against freeradius to have
the discussion with the maintainers in public?", Moritz Muehlenhoff from debian
security team.

Issue:
It seems, that sensitive information (for example stored in
/etc/freeradius/users) can be read by every system user ("others"). After
asking the freeradius team I was told, that the /etc/freeradius directory has
permissions 750 on their install (see Makefile). On my standard ubuntu/debian
package installation there is another/divergent permission set, which allows
every system user to access the freeradius directory (and therefore also some
files like /etc/freeradius/users which can contain sensitive information).

I assume the debian freeradius package should be adapted, so that access to the
whole /etc/freeradius directory is restricted, as intended by the freeradius
team.

Best regards
Simon Boldinger



-- System Information:
Debian Release: stretch/sid
  APT prefers artful-updates
  APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
pn  freeradius-common  <none>
pn  freeradius-config  <none>
ii  libc6              2.26-0ubuntu2.1
pn  libct4             <none>
pn  libfreeradius3     <none>
ii  libgdbm3           1.8.3-14
ii  libpam0g           1.1.8-3.2ubuntu3
ii  libperl5.26        5.26.0-8ubuntu1
ii  libpython2.7       2.7.14-2ubuntu2
ii  libreadline7       7.0-0ubuntu2
ii  libsqlite3-0       3.19.3-3
ii  libssl1.0.0        1.0.2g-1ubuntu13.3
ii  libtalloc2         2.1.9-2ubuntu1
ii  libwbclient0       2:4.6.7+dfsg-1ubuntu3.1
ii  lsb-base           9.20160110ubuntu5

Versions of packages freeradius recommends:
pn  freeradius-utils  <none>

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
pn  freeradius-ldap        <none>
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  snmp                   <none>

More information about the Secure-testing-team mailing list