[DRE-maint] Bug#850858: diaspora-common: twitter_secret etc are stored in world-readable files
Julian Gilbey
jdg at debian.org
Tue Jan 10 19:10:10 UTC 2017
Package: diaspora-common
Version: 0.6.0.0+debian5
Severity: serious
Hi Pirate,
I believe this is a security hole, but will not affect every user of
the package, hence why I have set it to Severity: serious.
During the debconf setup, you are asked (if twitter etc are selected)
for your Twitter Key and Twitter Secret (and likewise for the other
services). (It is not immediately clear what these mean; the debconf
questions could be improved on this point, I guess. But that's not
the focus of this bug report.)
The secret (and possibly the key as well) should not be
world-readable, but they are stored in the world-readable file
/var/cache/debconf/config.dat. They (or at least the Secret) need to
be flagged as being passwords in the template file (Type: password
rather than Type: string).
In addition, these data are then stored in the configuration file
/var/lib/diaspora-common/diaspora.conf
However, this file is also world-readable and needs to be readable by
only those system users who need to be able to have access to this
data (perhaps the diaspora user or group www-data?).
Best wishes,
Julian
-- System Information:
Debian Release: stretch/sid
APT prefers jessie
APT policy: (500, 'jessie'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.8.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_GB.UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages diaspora-common depends on:
ii adduser 3.115
ii bc 1.06.95-9+b2
ii ca-certificates 20161130
ii curl 7.51.0-1
ii dbconfig-mysql 2.0.7
ii debconf [debconf-2.0] 1.5.59
ii default-mysql-server 1.0.1
ii exim4 4.88-2
ii exim4-daemon-light [mail-transport-agent] 4.88-2
ii lsb-base 9.20161125
ii mariadb-server-10.0 [virtual-mysql-server] 10.0.28-2
ii net-tools 1.60+git20161116.90da8a0-1
ii nginx-full [nginx] 1.10.2-3
ii nodejs 4.6.1~dfsg-1
ii postgresql 9.6+178
ii rake 10.5.0-2
ii redis-server 3:3.2.6-1
ii ruby 1:2.3.3
ii ruby-rspec 3.5.0c3e0m0s0-1
ii ruby2.1 [ruby-interpreter] 2.1.5-4
ii sudo 1.8.19-1
ii ucf 3.0036
diaspora-common recommends no packages.
Versions of packages diaspora-common suggests:
ii easy-rsa 2.2.2-2
-- debconf information excluded
More information about the Pkg-ruby-extras-maintainers
mailing list