[Pkg-libvirt-maintainers] Bug#632332: libvirt-bin: directory permissions differ from upstream

Fri Jul 1 14:08:47 UTC 2011

Package: libvirt-bin
Version: 0.9.2-5
Severity: normal

On the libvirt mailing list, I noticed this patch:

  http://www.redhat.com/archives/libvir-list/2011-May/msg01367.html
  Subject: [PATCH] libvirt.spec: /var/cache/libvirt should be 0711.

I was curious to see if this packaging change made its way to Debian,
but it seems that we don't set _any_ of the permissions like the .spec
file does.  The particular bug they were trying to fix likely doesn't
exist in Debian because our /var/cache/libvirt is already overly
permissive, but this seems like an oversight and can be a potential
security issue (information leakage due to default 0755 rather than
the more restrictive permissions that the .spec file lists).

-jim

-- System Information:
Debian Release: 6.0
  APT prefers testing
  APT policy: (300, 'testing'), (50, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libvirt-bin depends on:
ii  adduser                   3.112+nmu2     add and remove users and groups
ii  gettext-base              0.18.1.1-3     GNU Internationalization utilities
ii  libavahi-client3          0.6.27-2       Avahi client library
ii  libavahi-common3          0.6.27-2       Avahi common library
ii  libblkid1                 2.17.2-9       block device id library
ii  libc6                     2.11.2-10      Embedded GNU C Library: Shared lib
ii  libcap-ng0                0.6.4-1        An alternate posix capabilities li
ii  libdevmapper1.02.1        2:1.02.48-5    The Linux Kernel Device Mapper use
ii  libgcrypt11               1.5.0~beta1-1  LGPL Crypto library - runtime libr
ii  libgnutls26               2.11.6-2       the GNU TLS library - runtime libr
ii  libnl1                    1.1-6          library for dealing with netlink s
ii  libparted0debian1         2.3-5          The GNU Parted disk partitioning s
ii  libpciaccess0             0.12.0-1       Generic PCI access library for X
ii  libreadline6              6.1-3          GNU readline and history libraries
ii  libsasl2-2                2.1.23.dfsg1-7 Cyrus SASL - authentication abstra
ii  libudev0                  164-3          libudev shared library
ii  libuuid1                  2.17.2-9       Universally Unique ID library
ii  libvirt0                  0.9.2-5        library for interfacing with diffe
ii  libxenstore3.0            4.0.1-2        Xenstore communications library fo
ii  libxml2                   2.7.8.dfsg-2   GNOME XML library
ii  logrotate                 3.7.8-6        Log rotation utility

Versions of packages libvirt-bin recommends:
ii  bridge-utils           1.4-5             Utilities for configuring the Linu
ii  dmidecode              2.9-1.2           Dump Desktop Management Interface 
ii  dnsmasq-base           2.55-2            A small caching DNS proxy and DHCP
ii  ebtables               2.0.9.2-2         Ethernet bridge frame table admini
ii  gawk                   1:3.1.7.dfsg-5    GNU awk, a pattern scanning and pr
ii  iproute                20100519-3        networking and traffic control too
ii  iptables               1.4.11.1-2        administration tools for packet fi
ii  libxml2-utils          2.7.8.dfsg-2      XML utilities
ii  netcat-openbsd         1.89-4            TCP/IP swiss army knife
ii  qemu                   0.14.0+dfsg-5.1   fast processor emulator
ii  qemu-kvm               0.14.0+dfsg-1~tls Full virtualization on x86 hardwar

Versions of packages libvirt-bin suggests:
ii  policykit-1                   0.101-4    framework for managing administrat

-- no debconf information