[Pkg-xmpp-devel] Bug#632631: jwchat: strange and insecure file permission
Helmut Grohne
helmut at subdivi.de
Mon Jul 4 08:32:00 UTC 2011
Package: jwchat
Version: 1.0beta3-3
Severity: important
Tags: security
The postinst of jwchat has some strange ideas about file permission.
1) It assigns /etc/jwchat/config.js to www-data:www-data. The file is to
be considered static configuration. I see no reason for why www-data
should be able to modify it.
Note that the file mode is 700. On changing the owner to a sane value
such as root additional read permission must be granted. This should
not pose a problem, because the file does not contain confidential
information and is exported via http anyway.
See also: http://bugs.debian.org/396255
2) It assigns /usr/share/jwchat/www to nobody:nogroup recursively. I see
no reason for why nobody should be able to modify this data.
The bug is also present in sid 1.0+dfsg-1.
Helmut
More information about the Pkg-xmpp-devel
mailing list