[Popcon-developers] Bug#414644: popularity-contest: HOME=/tmp is not a good idea

[Bill Allombert]

severity 414644 serious
quit
On Tue, Mar 13, 2007 at 12:39:08AM +0100, Robert Luberda wrote:
> Package: popularity-contest
> Version: 1.40
> Severity: important
> Tags: security, patch
> 
> Hi,
> 
> The popularity-contest's weekly cron job sets HOME to /tmp before
> generating the popularity raport. By doing that it tries to avoid dpkg
> failures on unreadable /root/.dpkg.cfg file. 
> However /tmp is world-writeable, so any user can create /tmp/.dpkg.cfg 
> and make it unreadable for others thus causing dpkg to generate 
> "failed to open config file" warning.  
> 
> Patch:
> - set HOME to e.g. /nonexistent 
> or
> - don't pass the `-p' option to su

Actually this is worse than that, the user can add various options to
dpkg in that file that will then be used by dpkg.

I am evaluating the following patch (which do the later of your
proposals.

Cheers,
-- 
Bill. <ballombe at debian.org>

Imagine a large blue swirl here. 

Index: debian/cron.weekly
===================================================================
RCS file: /cvsroot/popcon/popularity-contest/debian/cron.weekly,v
retrieving revision 1.18
diff -u -r1.18 cron.weekly
--- debian/cron.weekly	7 Oct 2006 14:50:32 -0000	1.18
+++ debian/cron.weekly	13 Mar 2007 21:11:46 -0000
@@ -30,8 +30,7 @@
 
 run_popcon()
 {
-	# Set HOME to avoid bug #212013.
-	HOME=/tmp su -pc "sh -c /usr/sbin/popularity-contest" nobody
+	su -c "sh -c /usr/sbin/popularity-contest" nobody
 }
 
 do_sendmail()