[Pkg-freeradius-maintainers] Bug#890933: Bug#890933: freeradius: File permissions allow access to sensitive information by "others"
Michael Stapelberg
stapelberg at debian.org
Mon Feb 26 20:46:24 UTC 2018
On Mon, Feb 26, 2018 at 8:17 PM, <simon at turnagile.com> wrote:
> Hi Michael,
>
>
>
> thank's for your response. The permission setting you described is exactly
> the setting I found on my host(s):
>
> root at intra:/etc/freeradius# ls -ldR /etc/freeradius/
>
> drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/
>
>
>
> _*But*_ in combination with the /etc/freeradius/users permission setting:
>
> root at intra:/etc/freeradius# ls -ldR /etc/freeradius/users
>
> -rw-r--r-- 1 root root 6524 Jul 26 2017 /etc/freeradius/users
>
>
>
> An "other" user can simply read the (maybe sensitive) content via a simple
> "cat /etc/freeradius/users".
>
>
>
> So, from my point of view the /etc/freeradius permissions should for
> example be set to 750 or the files within this directory (especially the
> „users“ file) need more restrictive permissions.
>
>
>
> Sorry for not sending the bugreport from the affected host, but in this
> case I think it is not necessary anymore?
>
It would still be good to know the version numbers involved, as permissions
have changed repeatedly over time.
When doing a fresh installation, or upgrading from < 3.0.12+dfsg-2, the
postinst script will change the permission of all files underneath
/etc/freeradius to 640, so either you must be using a very old version, or
something else went wrong. I’m also curious because recent package versions
use /etc/freeradius/3.0, not /etc/freeradius.
In any case, the packaging used mode 2751 for /etc/freeradius before I
became the maintainer, so I never questioned it.
Especially seeing that upstream is in agreement, I’m all for using a
stricter permission. I’ll change the package to use 2750 going forward.
jmm, is there any documentation regarding best practices for /etc directory
modes in Debian that I could refer to in my commit message?
>
>
> Greets
>
> Simon
>
>
>
>
>
> *Von:* michael at i3wm.org [mailto:michael at i3wm.org] *Im Auftrag von *Michael
> Stapelberg
> *Gesendet:* Sonntag, 25. Februar 2018 16:13
> *An:* Simon Boldinger <simon at turnagile.com>; 890933 at bugs.debian.org
> *Betreff:* Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File
> permissions allow access to sensitive information by "others"
>
>
>
> Hey Simon,
>
>
>
> On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <simon at turnagile.com>
> wrote:
>
> Package: freeradius
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> first of all, I already shared the following information with the debian
> security team and they asked me to file this as a bug report: "I'm not why
> the
> Debian packaging diverges, can you please file a bug against freeradius to
> have
> the discussion with the maintainers in public?", Moritz Muehlenhoff from
> debian
> security team.
>
> Issue:
> It seems, that sensitive information (for example stored in
> /etc/freeradius/users) can be read by every system user ("others"). After
> asking the freeradius team I was told, that the /etc/freeradius directory
> has
> permissions 750 on their install (see Makefile). On my standard
> ubuntu/debian
> package installation there is another/divergent permission set, which
> allows
> every system user to access the freeradius directory (and therefore also
> some
> files like /etc/freeradius/users which can contain sensitive information).
>
>
>
> I cannot reproduce this. After “apt install freeradius” on debian sid, I
> end up with the following directory:
>
>
>
> root at a584ef009927:/# ls -ldR /etc/freeradius
>
> drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius
>
>
>
> The permissions are set up by https://anonscm.debian.org/
> cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=
> f205eab8474e33183d936f4f60006a2e070e8335#n23
>
>
>
> Unfortunately, your bug report was not filed from the machine on which you
> installed freeradius, so I can’t see which version of the package you’re
> using.
>
>
>
> Can you provide more details on your installation, along with the result
> of ls -ldR /etc/freeradius please?
>
>
>
>
> I assume the debian freeradius package should be adapted, so that access
> to the
> whole /etc/freeradius directory is restricted, as intended by the
> freeradius
> team.
>
> Best regards
> Simon Boldinger
>
>
>
> -- System Information:
> Debian Release: stretch/sid
> APT prefers artful-updates
> APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500,
> 'artful'), (100, 'artful-backports')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeradius depends on:
> pn freeradius-common <none>
> pn freeradius-config <none>
> ii libc6 2.26-0ubuntu2.1
> pn libct4 <none>
> pn libfreeradius3 <none>
> ii libgdbm3 1.8.3-14
> ii libpam0g 1.1.8-3.2ubuntu3
> ii libperl5.26 5.26.0-8ubuntu1
> ii libpython2.7 2.7.14-2ubuntu2
> ii libreadline7 7.0-0ubuntu2
> ii libsqlite3-0 3.19.3-3
> ii libssl1.0.0 1.0.2g-1ubuntu13.3
> ii libtalloc2 2.1.9-2ubuntu1
> ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1
> ii lsb-base 9.20160110ubuntu5
>
> Versions of packages freeradius recommends:
> pn freeradius-utils <none>
>
> Versions of packages freeradius suggests:
> pn freeradius-krb5 <none>
> pn freeradius-ldap <none>
> pn freeradius-mysql <none>
> pn freeradius-postgresql <none>
> pn snmp <none>
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-
> freeradius-maintainers
>
>
>
>
>
> --
>
> Best regards,
> Michael
>
--
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20180226/4adb6194/attachment-0001.html>
More information about the Pkg-freeradius-maintainers
mailing list