Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-24 Thread Bill Allombert
On Fri, Mar 25, 2005 at 06:37:14AM +1100, [EMAIL PROTECTED] wrote: > > In no way installing the debian-policy package introduce a security > > hole, causes serious data loss or makes unrelated software on the > > system break. > > Not the installation of the policy package, but the following of th

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-24 Thread psz
Bill, Thank you for the explanations. > One of the rules is that policy proposal are wishlist by definition. Quite sensible: protect the policy-makers from blame and "litigation". I guess that the couple of "normal" bugs listed under http://bugs.debian.org/cgi-bin/pkgreport.cgi?pkg=debian-poli

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-24 Thread Bill Allombert
On Thu, Mar 24, 2005 at 07:11:18PM +1100, [EMAIL PROTECTED] wrote: > Dear Debian BTS gurus, > > A day or so ago, in connection with another bug (#295435), I discovered > the existence and use of [EMAIL PROTECTED] Out of curiosity, I > tried to set the severity of this bug to critical; to my amazem

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-24 Thread psz
Dear Debian BTS gurus, A day or so ago, in connection with another bug (#295435), I discovered the existence and use of [EMAIL PROTECTED] Out of curiosity, I tried to set the severity of this bug to critical; to my amazement, this worked; but then Manoj Srivastava set the severity back to wishlist

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-23 Thread psz
Some Googling turned up the following: http://www.tldp.org/HOWTO/Path-12.html Any of the important daemon processes should never execute anything that some other user can write into. In some systems, /usr/local/bin is allowed to contain programs with less strict security screening - it is

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-11 Thread Santiago Vila
severity 299007 wishlist reassign 299007 debian-policy thanks On Fri, 11 Mar 2005, Paul Szabo wrote: > Package: base-files > Version: 3.0.2 > Severity: critical > Tags: patch security > Justification: root security hole > > I recently noticed that /usr/local and /usr/local/{bin,sbin} are > group

Bug#299007: base-files: Insecure PATH in /root/.profile

2005-03-10 Thread Paul Szabo
Package: base-files Version: 3.0.2 Severity: critical Tags: patch security Justification: root security hole I recently noticed that /usr/local and /usr/local/{bin,sbin} are group-writable and owned by root:staff. This is wrong: those directories are in the default PATH for root. They (and files