[Pkg-rust-maintainers] Bug#1082432: audit, rust-laurel: Permission mismatch for /etc/audit/ dirs

Guillem Jover guillem at debian.org
Fri Sep 20 23:54:43 BST 2024 

Source: audit, rust-laurel
Severity: important
X-Debbugs-Cc: Helmut Grohne <helmut at subdivi.de>

Hi!

While analyzing the archive for mismatched file metadata (as part of
the preparation to add support into dpkg), thanks to Helmut gathering
the data from the archive. I noticed that these two source packages
generate binaries that have a mismatch in the permissions for the
/etc/audit/ and /etc/audit/plugins.d/ directories, where there could be
security implications, if the contents are expected to contain secrets
that only root is supposed to read, as the permissions of the directory
are decided by the first package being unpacked, and subsequent
directory unpacks get ignored (including any change in permissions).

  $ dpkg-deb -c audispd-plugins_1%3a4.0.1-1_amd64.deb | grep '/etc/audit.*/$'
  drwxr-x--- root/root         0 2024-08-09 11:04 ./etc/audit/
  drwxr-x--- root/root         0 2024-08-09 11:04 ./etc/audit/plugins.d/
  $ dpkg-deb -c auditd_1%3a4.0.1-1_amd64.deb | grep '/etc/audit.*/$'
  drwxr-x--- root/root         0 2024-08-09 11:04 ./etc/audit/
  drwxr-x--- root/root         0 2024-08-09 11:04 ./etc/audit/plugins.d/
  drwxr-x--- root/root         0 2024-08-09 11:04 ./etc/audit/rules.d/
  $ dpkg-deb -c laurel_0.6.3-1_amd64.deb | grep '/etc/audit.*/$'
  drwxr-xr-x root/root         0 2024-09-11 10:33 ./etc/audit/
  drwxr-xr-x root/root         0 2024-09-11 10:33 ./etc/audit/plugins.d/

I assume the correct ones are coming from the audit source, but assigned
to both for awareness and coordination purposes, feel free to reassign
to whichever might need to adapt the permissions. If this has security
implications then it might be worth to set the security tag, and rise
the severity and perhaps prepare a change for a stable update too? If
there are no security implications, it would still be good to make the
permissions consistent, otherwise dpkg would start warning or erroring
out on mismatched metadata once the support gets in and is enabled.

Thanks,
Guillem

More information about the Pkg-rust-maintainers mailing list