Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread The Fungi
On Sun, Nov 08, 2009 at 09:21:14PM +0300, Michael Tokarev wrote: > A good one. It appears that I quite something changed since I last looked > at this. No, I didn't test it because I remember it's how things worked > before. But that was long before ;) > > As of coreutils-6.0, coreutils suppor

Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread Michael Tokarev
The Fungi wrote: On Sun, Nov 08, 2009 at 07:13:25PM +0300, Michael Tokarev wrote: [...] And as others in #debian pointed out the overlooked obvious, `chown -R' follows symlinks. So it's sufficient to put a symlink to /etc/passwd into /var/lib/nsd3 to get the system 0wned. [...] Not to downpla

Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread The Fungi
On Sun, Nov 08, 2009 at 07:13:25PM +0300, Michael Tokarev wrote: [...] > And as others in #debian pointed out the overlooked obvious, `chown -R' > follows symlinks. So it's sufficient to put a symlink to /etc/passwd into > /var/lib/nsd3 to get the system 0wned. [...] Not to downplay the original

Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread Pierre Habouzit
On Sun, Nov 08, 2009 at 06:11:20PM +0300, Michael Tokarev wrote: > reopen 554893 > thanks > > [Cc'ing debian-devel because it's wrong to call valid claims "bogus" > and closing security bugs without any changes, especially since the > issue at hand in the package actually is bogus from the beginni

Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread Michael Tokarev
Michael Tokarev wrote: [] Pierre Habouzit wrote: On Sat, Nov 07, 2009 at 08:48:35AM +0300, Michael Tokarev wrote: Package: nsd3 Version: 3.2.3-1 Severity: normal Tags: patch Current /etc/init.d/nsd3 contains the following code which gets executed _every_ time the script is run, even before ch

Re: Bug#554893: startup script should be more careful with chown -R

2009-11-08 Thread Michael Tokarev
reopen 554893 thanks [Cc'ing debian-devel because it's wrong to call valid claims "bogus" and closing security bugs without any changes, especially since the issue at hand in the package actually is bogus from the beginning] Pierre Habouzit wrote: On Sat, Nov 07, 2009 at 08:48:35AM +0300, Micha