[Debian-iot-maintainers] Bug#873365: librad0: radUtilsBecomeDaemon should not set umask(0)
Kevin Locke
kevin at kevinlocke.name
Sat Aug 26 23:15:38 UTC 2017
Package: librad0
Version: 2.12.0-4
Severity: normal
Dear Maintainer,
Thanks for packaging radlib! As a wview user it's nice to see one of
its dependencies added to the official repos.
I recently realized that wview creates most files world-writable, which
is a pretty big security issue. The cause is the radlib
radUtilsBecomeDaemon function unconditionally calling umask(0) after
fork() and none of the wview daemons call umask with a sane value after
that. This is radlib issue #2 which was opened in 2011 and hasn't
received any comment.[1]
I was hoping you might be willing to carry a patch which removes the
umask(0) call. Otherwise I (and presumably many other users of radlib)
will need to update all calls to radUtilsBecomeDaemon to save/restore
the umask.
Thanks for considering,
Kevin
1. https://sourceforge.net/p/radlib/bugs/2/
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.12.0-kevinoid1 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8), LANGUAGE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages librad0 depends on:
ii libc6 2.24-14
ii libsqlite3-0 3.19.3-3
librad0 recommends no packages.
Versions of packages librad0 suggests:
pn librad0-tools <none>
More information about the Debian-iot-maintainers
mailing list