[Pkg-freeradius-maintainers] Bug#890933: Bug#890933: freeradius: File permissions allow access to sensitive information by "others"

Michael Stapelberg stapelberg at debian.org
Mon Feb 26 20:46:24 UTC 2018 

On Mon, Feb 26, 2018 at 8:17 PM, <simon at turnagile.com> wrote:

> Hi Michael,
>
>
>
> thank's for your response. The permission setting you described is exactly
> the setting I found on my host(s):
>
> root at intra:/etc/freeradius# ls -ldR /etc/freeradius/
>
> drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/
>
>
>
> _*But*_ in combination with the /etc/freeradius/users permission setting:
>
> root at intra:/etc/freeradius# ls -ldR /etc/freeradius/users
>
> -rw-r--r-- 1 root root 6524 Jul 26  2017 /etc/freeradius/users
>
>
>
> An "other" user can simply read the (maybe sensitive) content via a simple
> "cat /etc/freeradius/users".
>
>
>
> So, from my point of view the /etc/freeradius permissions should for
> example be set to 750 or the files within this directory (especially the
> „users“ file) need more restrictive permissions.
>
>
>
> Sorry for not sending the bugreport from the affected host, but in this
> case I think it is not necessary anymore?
>

It would still be good to know the version numbers involved, as permissions
have changed repeatedly over time.

When doing a fresh installation, or upgrading from < 3.0.12+dfsg-2, the
postinst script will change the permission of all files underneath
/etc/freeradius to 640, so either you must be using a very old version, or
something else went wrong. I’m also curious because recent package versions
use /etc/freeradius/3.0, not /etc/freeradius.

In any case, the packaging used mode 2751 for /etc/freeradius before I
became the maintainer, so I never questioned it.

Especially seeing that upstream is in agreement, I’m all for using a
stricter permission. I’ll change the package to use 2750 going forward.

jmm, is there any documentation regarding best practices for /etc directory
modes in Debian that I could refer to in my commit message?


>
>
> Greets
>
> Simon
>
>
>
>
>
> *Von:* michael at i3wm.org [mailto:michael at i3wm.org] *Im Auftrag von *Michael
> Stapelberg
> *Gesendet:* Sonntag, 25. Februar 2018 16:13
> *An:* Simon Boldinger <simon at turnagile.com>; 890933 at bugs.debian.org
> *Betreff:* Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File
> permissions allow access to sensitive information by "others"
>
>
>
> Hey Simon,
>
>
>
> On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <simon at turnagile.com>
> wrote:
>
> Package: freeradius
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Dear Maintainer,
>
> first of all, I already shared the following information with the debian
> security team and they asked me to file this as a bug report: "I'm not why
> the
> Debian packaging diverges, can you please file a bug against freeradius to
> have
> the discussion with the maintainers in public?", Moritz Muehlenhoff from
> debian
> security team.
>
> Issue:
> It seems, that sensitive information (for example stored in
> /etc/freeradius/users) can be read by every system user ("others"). After
> asking the freeradius team I was told, that the /etc/freeradius directory
> has
> permissions 750 on their install (see Makefile). On my standard
> ubuntu/debian
> package installation there is another/divergent permission set, which
> allows
> every system user to access the freeradius directory (and therefore also
> some
> files like /etc/freeradius/users which can contain sensitive information).
>
>
>
> I cannot reproduce this. After “apt install freeradius” on debian sid, I
> end up with the following directory:
>
>
>
> root at a584ef009927:/# ls -ldR /etc/freeradius
>
> drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius
>
>
>
> The permissions are set up by https://anonscm.debian.org/
> cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=
> f205eab8474e33183d936f4f60006a2e070e8335#n23
>
>
>
> Unfortunately, your bug report was not filed from the machine on which you
> installed freeradius, so I can’t see which version of the package you’re
> using.
>
>
>
> Can you provide more details on your installation, along with the result
> of ls -ldR /etc/freeradius please?
>
>
>
>
> I assume the debian freeradius package should be adapted, so that access
> to the
> whole /etc/freeradius directory is restricted, as intended by the
> freeradius
> team.
>
> Best regards
> Simon Boldinger
>
>
>
> -- System Information:
> Debian Release: stretch/sid
>   APT prefers artful-updates
>   APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500,
> 'artful'), (100, 'artful-backports')
> Architecture: amd64 (x86_64)
> Foreign Architectures: i386
>
> Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
> LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages freeradius depends on:
> pn  freeradius-common  <none>
> pn  freeradius-config  <none>
> ii  libc6              2.26-0ubuntu2.1
> pn  libct4             <none>
> pn  libfreeradius3     <none>
> ii  libgdbm3           1.8.3-14
> ii  libpam0g           1.1.8-3.2ubuntu3
> ii  libperl5.26        5.26.0-8ubuntu1
> ii  libpython2.7       2.7.14-2ubuntu2
> ii  libreadline7       7.0-0ubuntu2
> ii  libsqlite3-0       3.19.3-3
> ii  libssl1.0.0        1.0.2g-1ubuntu13.3
> ii  libtalloc2         2.1.9-2ubuntu1
> ii  libwbclient0       2:4.6.7+dfsg-1ubuntu3.1
> ii  lsb-base           9.20160110ubuntu5
>
> Versions of packages freeradius recommends:
> pn  freeradius-utils  <none>
>
> Versions of packages freeradius suggests:
> pn  freeradius-krb5        <none>
> pn  freeradius-ldap        <none>
> pn  freeradius-mysql       <none>
> pn  freeradius-postgresql  <none>
> pn  snmp                   <none>
>
> _______________________________________________
> Pkg-freeradius-maintainers mailing list
> Pkg-freeradius-maintainers at lists.alioth.debian.org
> https://lists.alioth.debian.org/mailman/listinfo/pkg-
> freeradius-maintainers
>
>
>
>
>
> --
>
> Best regards,
> Michael
>



-- 
Best regards,
Michael
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-freeradius-maintainers/attachments/20180226/4adb6194/attachment-0001.html>

More information about the Pkg-freeradius-maintainers mailing list