<div dir="ltr">Hey Simon,<br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <span dir="ltr"><<a href="mailto:simon@turnagile.com" target="_blank">simon@turnagile.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Package: freeradius<br>
Severity: grave<br>
Tags: security<br>
Justification: user security hole<br>
<br>
Dear Maintainer,<br>
<br>
first of all, I already shared the following information with the debian<br>
security team and they asked me to file this as a bug report: "I'm not why the<br>
Debian packaging diverges, can you please file a bug against freeradius to have<br>
the discussion with the maintainers in public?", Moritz Muehlenhoff from debian<br>
security team.<br>
<br>
Issue:<br>
It seems, that sensitive information (for example stored in<br>
/etc/freeradius/users) can be read by every system user ("others"). After<br>
asking the freeradius team I was told, that the /etc/freeradius directory has<br>
permissions 750 on their install (see Makefile). On my standard ubuntu/debian<br>
package installation there is another/divergent permission set, which allows<br>
every system user to access the freeradius directory (and therefore also some<br>
files like /etc/freeradius/users which can contain sensitive information).<br></blockquote><div><br></div><div>I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory:</div><div><br></div><div><div>root@a584ef009927:/# ls -ldR /etc/freeradius</div><div>drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius</div></div><div><br></div><div>The permissions are set up by <a href="https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23">https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23</a></div><div><br></div><div>Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using.</div><div><br></div><div>Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please?</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I assume the debian freeradius package should be adapted, so that access to the<br>
whole /etc/freeradius directory is restricted, as intended by the freeradius<br>
team.<br>
<br>
Best regards<br>
Simon Boldinger<br>
<br>
<br>
<br>
-- System Information:<br>
Debian Release: stretch/sid<br>
APT prefers artful-updates<br>
APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')<br>
Architecture: amd64 (x86_64)<br>
Foreign Architectures: i386<br>
<br>
Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)<br>
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)<br>
Shell: /bin/sh linked to /bin/dash<br>
Init: systemd (via /run/systemd/system)<br>
<br>
Versions of packages freeradius depends on:<br>
pn freeradius-common <none><br>
pn freeradius-config <none><br>
ii libc6 2.26-0ubuntu2.1<br>
pn libct4 <none><br>
pn libfreeradius3 <none><br>
ii libgdbm3 1.8.3-14<br>
ii libpam0g 1.1.8-3.2ubuntu3<br>
ii libperl5.26 5.26.0-8ubuntu1<br>
ii libpython2.7 2.7.14-2ubuntu2<br>
ii libreadline7 7.0-0ubuntu2<br>
ii libsqlite3-0 3.19.3-3<br>
ii libssl1.0.0 1.0.2g-1ubuntu13.3<br>
ii libtalloc2 2.1.9-2ubuntu1<br>
ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1<br>
ii lsb-base 9.20160110ubuntu5<br>
<br>
Versions of packages freeradius recommends:<br>
pn freeradius-utils <none><br>
<br>
Versions of packages freeradius suggests:<br>
pn freeradius-krb5 <none><br>
pn freeradius-ldap <none><br>
pn freeradius-mysql <none><br>
pn freeradius-postgresql <none><br>
pn snmp <none><br>
<br>
______________________________<wbr>_________________<br>
Pkg-freeradius-maintainers mailing list<br>
<a href="mailto:Pkg-freeradius-maintainers@lists.alioth.debian.org">Pkg-freeradius-maintainers@<wbr>lists.alioth.debian.org</a><br>
<a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers" rel="noreferrer" target="_blank">https://lists.alioth.debian.<wbr>org/mailman/listinfo/pkg-<wbr>freeradius-maintainers</a><br>
</blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature">Best regards,<br>Michael</div>
</div></div>