[Debconf-devel] Bug#511893: ucf stores diff (of private files) in debconf (world readable)
Colin Watson
cjwatson at debian.org
Thu Jan 22 17:16:20 UTC 2009
On Wed, Jan 21, 2009 at 12:36:39AM -0600, Manoj Srivastava wrote:
> ucf has no way of knowing whether the data it is being asked to
> diff has passwords or other sensitive information; and since it is
> required by policy to use debconf for all user interaction, it _has_ to
> send the diff through debconf.
>
> As suggested in the report already, this can be best fixed by
> debconf tightening up the permissions on the temporary internal files
> it uses for the interaction, so forwarding.
This would be terribly inconvenient for us. It's often necessary to ask
users for their config.dat files in order to diagnose bugs; if it
potentially contained sensitive data, we wouldn't be able to do that
anywhere near as easily. config.dat does not generally contain anything
else sensitive, and we already split passwords out into a separate
database file for exactly this reason. I don't think there's anything
else in config.dat that we need to be rampantly paranoid about; ucf is
the only thing I can think of that routinely dumps chunks of
miscellaneous files into it.
How about if we added a separate database just for ucf? The debconf.conf
stanza could look something like this:
Name: ucf
Driver: File
Mode: 600
Backup: false
Required: false
Accept-Name: ^ucf/
Filename: /var/cache/debconf/ucf.dat
(Alternatively, we could add a new private-note type. I kind of dislike
the idea of type explosion if we don't have to, though.)
Joey, what do you think of this? I'd rather not add a new database
unilaterally.
--
Colin Watson [cjwatson at debian.org]
More information about the Debconf-devel
mailing list