Package: dlt-daemon
Version: 2.18.0-1
Severity: serious
Tags: security
Hi!
This daemon runs as user nobody, while creating multiple files on the
filesystem owned by the same user, which are used as part of its
security protection. This is a security issue, given that other
daemons on the system might be running as the same user, and worse
when dlt-daemon is writing and parsing files from hardcoded paths
under /tmp.
From base-passwd/users-and-groups.txt.gz:
,---
nobody, nogroup
Daemons that need not own any files sometimes run as
user nobody and group nogroup, although using a
dedicated user is far preferable. Thus, no files on a
system should be owned by this user or group.
(Technically speaking, it does no harm for a file to be
owned by group nogroup as long as the ownership confers
no additional privileges, that is if the group and other
permission bits are equal. However, this is sloppy
practice and should be avoided.)
If root-squashing is in use over NFS, root access from
the client is performed as user nobody on the server.
`---
If you are going to fix this by using a dedicated user/group, please
make sure to namespace them with «_» to distinguish them as system
users and avoid unnecessary collisions with non-system, users. (Such
as _dlt or similar.)
[ The version I used is the earliest I found with the same issue from
the tracker.d.o page, earlier version might be affected too, dunno. ]
Thanks,
Guillem
