[Debconf-devel] Bug#511893: ucf stores diff (of private files) in debconf (world readable)

[Colin Watson]

On Wed, Jan 21, 2009 at 12:36:39AM -0600, Manoj Srivastava wrote:
>         ucf has no way of knowing whether the data it is being asked to
>  diff has passwords or other sensitive information; and since it is
>  required by policy to use debconf for all user interaction, it _has_ to
>  send the diff through debconf.
> 
>         As suggested in the report already, this can be best fixed by
>  debconf tightening up the permissions on the temporary internal files
>  it uses for the interaction, so forwarding.

This would be terribly inconvenient for us. It's often necessary to ask
users for their config.dat files in order to diagnose bugs; if it
potentially contained sensitive data, we wouldn't be able to do that
anywhere near as easily. config.dat does not generally contain anything
else sensitive, and we already split passwords out into a separate
database file for exactly this reason. I don't think there's anything
else in config.dat that we need to be rampantly paranoid about; ucf is
the only thing I can think of that routinely dumps chunks of
miscellaneous files into it.

How about if we added a separate database just for ucf? The debconf.conf
stanza could look something like this:

  Name: ucf
  Driver: File
  Mode: 600
  Backup: false
  Required: false
  Accept-Name: ^ucf/
  Filename: /var/cache/debconf/ucf.dat

(Alternatively, we could add a new private-note type. I kind of dislike
the idea of type explosion if we don't have to, though.)

Joey, what do you think of this? I'd rather not add a new database
unilaterally.

-- 
Colin Watson                                       [cjwatson at debian.org]