Package: sfs-server Version: 1:0.8-0+pre20041016.1-1 Severity: grave Tags: security Justification: user security hole
I created a file owned by root on the sfs server, permissions rw-r--r--. Ran sfskey login to my non-root server account, I was able to remove the file. Tested this for non-root users as well: any user can remove any other users file. -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.4.27-2-686-smp Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages sfs-server depends on: ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an ii libdb4.2 4.2.52-17 Berkeley v4.2 Database Libraries [ ii libgcc1 1:3.4.3-6 GCC support library ii libgmp3 4.1.4-5 Multiprecision arithmetic library ii libpam0g 0.76-22 Pluggable Authentication Modules l ii libsfs0 1:0.8-0+pre20041016.1-1 Self-Certifying File System shared ii libstdc++5 1:3.3.5-5 The GNU Standard C++ Library v3 ii nfs-kernel-serve 1:1.0.7-1 Kernel NFS server support ii sfs-common 1:0.8-0+pre20041016.1-1 Self-Certifying File System common -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
