[Pkg-shadow-devel] Bug#699593: [Secure-testing-team] Bug#699593: login: wrong egid

Michael Gilbert mgilbert at debian.org
Sat Feb 2 21:50:11 UTC 2013


control: reassign -1 eglibc
control: forcemerge 698102 -1
control: tag -1 -security

On Sat, Feb 2, 2013 at 3:53 AM, Michael Tsang wrote:
> Debian GNU/kFreeBSD logs me with a wrong egid. I did the following steps:
>
> 1. Install a new copy of Debian GNU/kFreeBSD
> 2. Configure the system to use LDAP authentication
> 3. Add an LDAP user to a local group (e.g. sudo)
> 4. Log into that user
>
> Then, I found that bash does not read the configuration files since gid and
> egid are different. This is wrong. The egid should be the same as the primary
> gid when logging in. Refer to #698102 for more details.

The inability to read a configuration file is not a security problem.
However, the ability to read/create files as the other uid would be.
If you can demonstrate that ability via this bug, please by all means
re-add the security tag and increase the severity.  Otherwise, the bug
should be closed as simply an implementation artifact differing
between linux and freebsd

Best wishes,
Mike



More information about the Pkg-shadow-devel mailing list