<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.E-MailFormatvorlage18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=DE link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Hi Michael,<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>thank's for your response. The permission setting you described is exactly the setting I found on my host(s):<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>root@intra:/etc/freeradius# ls -ldR /etc/freeradius/<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>_<i>But</i>_ in combination with the /etc/freeradius/users permission setting:<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>root@intra:/etc/freeradius# ls -ldR /etc/freeradius/users <o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>-rw-r--r-- 1 root root 6524 Jul 26 2017 /etc/freeradius/users<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>An "other" user can simply read the (maybe sensitive) content via a simple "cat /etc/freeradius/users".<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>So, from my point of view the /etc/freeradius permissions should for example be set to 750 or the files within this directory (especially the „users“ file) need more restrictive permissions. <o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Sorry for not sending the bugreport from the affected host, but in this case I think it is not necessary anymore?<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Greets<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'>Simon<o:p></o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span style='mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><b>Von:</b> michael@i3wm.org [mailto:michael@i3wm.org] <b>Im Auftrag von </b>Michael Stapelberg<br><b>Gesendet:</b> Sonntag, 25. Februar 2018 16:13<br><b>An:</b> Simon Boldinger <simon@turnagile.com>; 890933@bugs.debian.org<br><b>Betreff:</b> Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File permissions allow access to sensitive information by "others"<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>Hey Simon,<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p><div><p class=MsoNormal>On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <<a href="mailto:simon@turnagile.com" target="_blank">simon@turnagile.com</a>> wrote:<o:p></o:p></p><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal>Package: freeradius<br>Severity: grave<br>Tags: security<br>Justification: user security hole<br><br>Dear Maintainer,<br><br>first of all, I already shared the following information with the debian<br>security team and they asked me to file this as a bug report: "I'm not why the<br>Debian packaging diverges, can you please file a bug against freeradius to have<br>the discussion with the maintainers in public?", Moritz Muehlenhoff from debian<br>security team.<br><br>Issue:<br>It seems, that sensitive information (for example stored in<br>/etc/freeradius/users) can be read by every system user ("others"). After<br>asking the freeradius team I was told, that the /etc/freeradius directory has<br>permissions 750 on their install (see Makefile). On my standard ubuntu/debian<br>package installation there is another/divergent permission set, which allows<br>every system user to access the freeradius directory (and therefore also some<br>files like /etc/freeradius/users which can contain sensitive information).<o:p></o:p></p></blockquote><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory:<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><div><p class=MsoNormal>root@a584ef009927:/# ls -ldR /etc/freeradius<o:p></o:p></p></div><div><p class=MsoNormal>drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius<o:p></o:p></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The permissions are set up by <a href="https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23">https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23</a><o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please?<o:p></o:p></p></div><div><p class=MsoNormal> <o:p></o:p></p></div><blockquote style='border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm'><p class=MsoNormal><br>I assume the debian freeradius package should be adapted, so that access to the<br>whole /etc/freeradius directory is restricted, as intended by the freeradius<br>team.<br><br>Best regards<br>Simon Boldinger<br><br><br><br>-- System Information:<br>Debian Release: stretch/sid<br> APT prefers artful-updates<br> APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')<br>Architecture: amd64 (x86_64)<br>Foreign Architectures: i386<br><br>Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)<br>Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)<br>Shell: /bin/sh linked to /bin/dash<br>Init: systemd (via /run/systemd/system)<br><br>Versions of packages freeradius depends on:<br>pn freeradius-common <none><br>pn freeradius-config <none><br>ii libc6 2.26-0ubuntu2.1<br>pn libct4 <none><br>pn libfreeradius3 <none><br>ii libgdbm3 1.8.3-14<br>ii libpam0g 1.1.8-3.2ubuntu3<br>ii libperl5.26 5.26.0-8ubuntu1<br>ii libpython2.7 2.7.14-2ubuntu2<br>ii libreadline7 7.0-0ubuntu2<br>ii libsqlite3-0 3.19.3-3<br>ii libssl1.0.0 1.0.2g-1ubuntu13.3<br>ii libtalloc2 2.1.9-2ubuntu1<br>ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1<br>ii lsb-base 9.20160110ubuntu5<br><br>Versions of packages freeradius recommends:<br>pn freeradius-utils <none><br><br>Versions of packages freeradius suggests:<br>pn freeradius-krb5 <none><br>pn freeradius-ldap <none><br>pn freeradius-mysql <none><br>pn freeradius-postgresql <none><br>pn snmp <none><br><br>_______________________________________________<br>Pkg-freeradius-maintainers mailing list<br><a href="mailto:Pkg-freeradius-maintainers@lists.alioth.debian.org">Pkg-freeradius-maintainers@lists.alioth.debian.org</a><br><a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers" target="_blank">https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers</a><o:p></o:p></p></blockquote></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>-- <o:p></o:p></p><div><p class=MsoNormal>Best regards,<br>Michael<o:p></o:p></p></div></div></div></div></body></html>