[Pkg-freeradius-maintainers] Bug#890933: AW: Bug#890933: freeradius: File permissions allow access to sensitive information by "others"

simon at turnagile.com simon at turnagile.com
Mon Feb 26 19:17:05 UTC 2018 

Hi Michael,

 

thank's for your response. The permission setting you described is exactly the setting I found on my host(s):

root at intra:/etc/freeradius# ls -ldR /etc/freeradius/

drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/

 

_But_ in combination with the /etc/freeradius/users permission setting:

root at intra:/etc/freeradius# ls -ldR /etc/freeradius/users 

-rw-r--r-- 1 root root 6524 Jul 26  2017 /etc/freeradius/users

 

An "other" user can simply read the (maybe sensitive) content via a simple "cat /etc/freeradius/users".

 

So, from my point of view the /etc/freeradius permissions should for example be set to 750 or the files within this directory (especially the „users“ file) need more restrictive permissions. 

 

Sorry for not sending the bugreport from the affected host, but in this case I think it is not necessary anymore?

 

Greets

Simon

 

 

Von: michael at i3wm.org [mailto:michael at i3wm.org] Im Auftrag von Michael Stapelberg
Gesendet: Sonntag, 25. Februar 2018 16:13
An: Simon Boldinger <simon at turnagile.com>; 890933 at bugs.debian.org
Betreff: Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File permissions allow access to sensitive information by "others"

 

Hey Simon,

 

On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <simon at turnagile.com <mailto:simon at turnagile.com> > wrote:

Package: freeradius
Severity: grave
Tags: security
Justification: user security hole

Dear Maintainer,

first of all, I already shared the following information with the debian
security team and they asked me to file this as a bug report: "I'm not why the
Debian packaging diverges, can you please file a bug against freeradius to have
the discussion with the maintainers in public?", Moritz Muehlenhoff from debian
security team.

Issue:
It seems, that sensitive information (for example stored in
/etc/freeradius/users) can be read by every system user ("others"). After
asking the freeradius team I was told, that the /etc/freeradius directory has
permissions 750 on their install (see Makefile). On my standard ubuntu/debian
package installation there is another/divergent permission set, which allows
every system user to access the freeradius directory (and therefore also some
files like /etc/freeradius/users which can contain sensitive information).

 

I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory:

 

root at a584ef009927:/# ls -ldR /etc/freeradius

drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius

 

The permissions are set up by https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23

 

Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using.

 

Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please?

 


I assume the debian freeradius package should be adapted, so that access to the
whole /etc/freeradius directory is restricted, as intended by the freeradius
team.

Best regards
Simon Boldinger



-- System Information:
Debian Release: stretch/sid
  APT prefers artful-updates
  APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages freeradius depends on:
pn  freeradius-common  <none>
pn  freeradius-config  <none>
ii  libc6              2.26-0ubuntu2.1
pn  libct4             <none>
pn  libfreeradius3     <none>
ii  libgdbm3           1.8.3-14
ii  libpam0g           1.1.8-3.2ubuntu3
ii  libperl5.26        5.26.0-8ubuntu1
ii  libpython2.7       2.7.14-2ubuntu2
ii  libreadline7       7.0-0ubuntu2
ii  libsqlite3-0       3.19.3-3
ii  libssl1.0.0        1.0.2g-1ubuntu13.3
ii  libtalloc2         2.1.9-2ubuntu1
ii  libwbclient0       2:4.6.7+dfsg-1ubuntu3.1
ii  lsb-base           9.20160110ubuntu5

Versions of packages freeradius recommends:
pn  freeradius-utils  <none>

Versions of packages freeradius suggests:
pn  freeradius-krb5        <none>
pn  freeradius-ldap        <none>
pn  freeradius-mysql       <none>
pn  freeradius-postgresql  <none>
pn  snmp                   <none>

_______________________________________________
Pkg-freeradius-maintainers mailing list
Pkg-freeradius-maintainers at lists.alioth.debian.org <mailto:Pkg-freeradius-maintainers at lists.alioth.debian.org> 
https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers





 

-- 

Best regards,
Michael

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20180226/04bfda1b/attachment.html>

More information about the Pkg-freeradius-maintainers mailing list