[Pkg-freeradius-maintainers] Bug#890933: Bug#890933: freeradius: File permissions allow access to sensitive information by "others"

Sun Feb 25 15:12:53 UTC 2018

Hey Simon,

On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <simon at turnagile.com>
wrote:

> Package: freeradius
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> first of all, I already shared the following information with the debian
> security team and they asked me to file this as a bug report: "I'm not why
> the
> Debian packaging diverges, can you please file a bug against freeradius to
> have
> the discussion with the maintainers in public?", Moritz Muehlenhoff from
> debian
> security team.
>
> Issue:
> It seems, that sensitive information (for example stored in
> /etc/freeradius/users) can be read by every system user ("others"). After
> asking the freeradius team I was told, that the /etc/freeradius directory
> has
> permissions 750 on their install (see Makefile). On my standard
> ubuntu/debian
> package installation there is another/divergent permission set, which
> allows
> every system user to access the freeradius directory (and therefore also
> some
> files like /etc/freeradius/users which can contain sensitive information).
>

I cannot reproduce this. After “apt install freeradius” on debian sid, I
end up with the following directory:

root at a584ef009927:/# ls -ldR /etc/freeradius
drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius

The permissions are set up by
https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23

Unfortunately, your bug report was not filed from the machine on which you
installed freeradius, so I can’t see which version of the package you’re
using.

Can you provide more details on your installation, along with the result of
ls -ldR /etc/freeradius please?

>
> I assume the debian freeradius package should be adapted, so that access
> to the
> whole /etc/freeradius directory is restricted, as intended by the
> freeradius
> team.
>
> Best regards
> Simon Boldinger
>
>
>
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers artful-updates
>   APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500,
> 'artful'), (100, 'artful-backports')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeradius depends on:
> pn  freeradius-common  <none>
> pn  freeradius-config  <none>
> ii  libc6              2.26-0ubuntu2.1
> pn  libct4             <none>
> pn  libfreeradius3     <none>
> ii  libgdbm3           1.8.3-14
> ii  libpam0g           1.1.8-3.2ubuntu3
> ii  libperl5.26        5.26.0-8ubuntu1
> ii  libpython2.7       2.7.14-2ubuntu2
> ii  libreadline7       7.0-0ubuntu2
> ii  libsqlite3-0       3.19.3-3
> ii  libssl1.0.0        1.0.2g-1ubuntu13.3
> ii  libtalloc2         2.1.9-2ubuntu1
> ii  libwbclient0       2:4.6.7+dfsg-1ubuntu3.1
> ii  lsb-base           9.20160110ubuntu5
>
> Versions of packages freeradius recommends:
> pn  freeradius-utils  <none>
>
> Versions of packages freeradius suggests:
> pn  freeradius-krb5        <none>
> pn  freeradius-ldap        <none>
> pn  freeradius-mysql       <none>
> pn  freeradius-postgresql  <none>
> pn  snmp                   <none>
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-
> freeradius-maintainers
>

-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20180225/b04a92b2/attachment.html>