<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Feb 26, 2018 at 8:17 PM, <span dir="ltr"><<a href="mailto:simon@turnagile.com" target="_blank">simon@turnagile.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DE" link="blue" vlink="purple"><div class="m_1834570345118767415WordSection1"><span class=""><p class="MsoNormal"><span>Hi Michael,<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>thank's for your response. The permission setting you described is exactly the setting I found on my host(s):<u></u><u></u></span></p><p class="MsoNormal"><span>root@intra:/etc/freeradius# ls -ldR /etc/freeradius/<u></u><u></u></span></p><p class="MsoNormal"><span>drwxr-s--x 6 freerad freerad 28 Feb 25 16:39 /etc/freeradius/<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>_<i>But</i>_ in combination with the /etc/freeradius/users permission setting:<u></u><u></u></span></p><p class="MsoNormal"><span>root@intra:/etc/freeradius# ls -ldR /etc/freeradius/users <u></u><u></u></span></p><p class="MsoNormal"><span>-rw-r--r-- 1 root root 6524 Jul 26 2017 /etc/freeradius/users<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>An "other" user can simply read the (maybe sensitive) content via a simple "cat /etc/freeradius/users".<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>So, from my point of view the /etc/freeradius permissions should for example be set to 750 or the files within this directory (especially the „users“ file) need more restrictive permissions. <u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>Sorry for not sending the bugreport from the affected host, but in this case I think it is not necessary anymore?</span></p></span></div></div></blockquote><div><br></div><div>It would still be good to know the version numbers involved, as permissions have changed repeatedly over time.</div><div><br></div><div>When doing a fresh installation, or upgrading from < 3.0.12+dfsg-2, the postinst script will change the permission of all files underneath /etc/freeradius to 640, so either you must be using a very old version, or something else went wrong. I’m also curious because recent package versions use /etc/freeradius/3.0, not /etc/freeradius.</div><div><br></div><div>In any case, the packaging used mode 2751 for /etc/freeradius before I became the maintainer, so I never questioned it.</div><div><br></div><div>Especially seeing that upstream is in agreement, I’m all for using a stricter permission. I’ll change the package to use 2750 going forward.</div><div><br></div><div>jmm, is there any documentation regarding best practices for /etc directory modes in Debian that I could refer to in my commit message?</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div lang="DE" link="blue" vlink="purple"><div class="m_1834570345118767415WordSection1"><span class=""><p class="MsoNormal"><span><u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span>Greets<u></u><u></u></span></p><p class="MsoNormal"><span>Simon<u></u><u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><span><u></u> <u></u></span></p><p class="MsoNormal"><b>Von:</b> <a href="mailto:michael@i3wm.org" target="_blank">michael@i3wm.org</a> [mailto:<a href="mailto:michael@i3wm.org" target="_blank">michael@i3wm.org</a>] <b>Im Auftrag von </b>Michael Stapelberg<br><b>Gesendet:</b> Sonntag, 25. Februar 2018 16:13<br><b>An:</b> Simon Boldinger <<a href="mailto:simon@turnagile.com" target="_blank">simon@turnagile.com</a>>; <a href="mailto:890933@bugs.debian.org" target="_blank">890933@bugs.debian.org</a><br><b>Betreff:</b> Re: [Pkg-freeradius-maintainers] Bug#890933: freeradius: File permissions allow access to sensitive information by "others"<u></u><u></u></p><p class="MsoNormal"><u></u> <u></u></p></span><div><p class="MsoNormal">Hey Simon,<u></u><u></u></p><div><div class="h5"><div><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">On Tue, Feb 20, 2018 at 8:09 PM, Simon Boldinger <<a href="mailto:simon@turnagile.com" target="_blank">simon@turnagile.com</a>> wrote:<u></u><u></u></p><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><p class="MsoNormal">Package: freeradius<br>Severity: grave<br>Tags: security<br>Justification: user security hole<br><br>Dear Maintainer,<br><br>first of all, I already shared the following information with the debian<br>security team and they asked me to file this as a bug report: "I'm not why the<br>Debian packaging diverges, can you please file a bug against freeradius to have<br>the discussion with the maintainers in public?", Moritz Muehlenhoff from debian<br>security team.<br><br>Issue:<br>It seems, that sensitive information (for example stored in<br>/etc/freeradius/users) can be read by every system user ("others"). After<br>asking the freeradius team I was told, that the /etc/freeradius directory has<br>permissions 750 on their install (see Makefile). On my standard ubuntu/debian<br>package installation there is another/divergent permission set, which allows<br>every system user to access the freeradius directory (and therefore also some<br>files like /etc/freeradius/users which can contain sensitive information).<u></u><u></u></p></blockquote><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">I cannot reproduce this. After “apt install freeradius” on debian sid, I end up with the following directory:<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><div><p class="MsoNormal">root@a584ef009927:/# ls -ldR /etc/freeradius<u></u><u></u></p></div><div><p class="MsoNormal">drwxr-s--x 3 freerad freerad 4096 Feb 25 15:08 /etc/freeradius<u></u><u></u></p></div></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">The permissions are set up by <a href="https://anonscm.debian.org/cgit/pkg-freeradius/freeradius.git/tree/debian/freeradius.postinst?id=f205eab8474e33183d936f4f60006a2e070e8335#n23" target="_blank">https://anonscm.debian.org/<wbr>cgit/pkg-freeradius/<wbr>freeradius.git/tree/debian/<wbr>freeradius.postinst?id=<wbr>f205eab8474e33183d936f4f60006a<wbr>2e070e8335#n23</a><u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Unfortunately, your bug report was not filed from the machine on which you installed freeradius, so I can’t see which version of the package you’re using.<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Can you provide more details on your installation, along with the result of ls -ldR /etc/freeradius please?<u></u><u></u></p></div><div><p class="MsoNormal"> <u></u><u></u></p></div><blockquote style="border:none;border-left:solid #cccccc 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"><p class="MsoNormal"><br>I assume the debian freeradius package should be adapted, so that access to the<br>whole /etc/freeradius directory is restricted, as intended by the freeradius<br>team.<br><br>Best regards<br>Simon Boldinger<br><br><br><br>-- System Information:<br>Debian Release: stretch/sid<br> APT prefers artful-updates<br> APT policy: (500, 'artful-updates'), (500, 'artful-security'), (500, 'artful'), (100, 'artful-backports')<br>Architecture: amd64 (x86_64)<br>Foreign Architectures: i386<br><br>Kernel: Linux 4.13.0-32-generic (SMP w/8 CPU cores)<br>Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)<br>Shell: /bin/sh linked to /bin/dash<br>Init: systemd (via /run/systemd/system)<br><br>Versions of packages freeradius depends on:<br>pn freeradius-common <none><br>pn freeradius-config <none><br>ii libc6 2.26-0ubuntu2.1<br>pn libct4 <none><br>pn libfreeradius3 <none><br>ii libgdbm3 1.8.3-14<br>ii libpam0g 1.1.8-3.2ubuntu3<br>ii libperl5.26 5.26.0-8ubuntu1<br>ii libpython2.7 2.7.14-2ubuntu2<br>ii libreadline7 7.0-0ubuntu2<br>ii libsqlite3-0 3.19.3-3<br>ii libssl1.0.0 1.0.2g-1ubuntu13.3<br>ii libtalloc2 2.1.9-2ubuntu1<br>ii libwbclient0 2:4.6.7+dfsg-1ubuntu3.1<br>ii lsb-base 9.20160110ubuntu5<br><br>Versions of packages freeradius recommends:<br>pn freeradius-utils <none><br><br>Versions of packages freeradius suggests:<br>pn freeradius-krb5 <none><br>pn freeradius-ldap <none><br>pn freeradius-mysql <none><br>pn freeradius-postgresql <none><br>pn snmp <none><br><br>______________________________<wbr>_________________<br>Pkg-freeradius-maintainers mailing list<br><a href="mailto:Pkg-freeradius-maintainers@lists.alioth.debian.org" target="_blank">Pkg-freeradius-maintainers@<wbr>lists.alioth.debian.org</a><br><a href="https://lists.alioth.debian.org/mailman/listinfo/pkg-freeradius-maintainers" target="_blank">https://lists.alioth.debian.<wbr>org/mailman/listinfo/pkg-<wbr>freeradius-maintainers</a><u></u><u></u></p></blockquote></div><p class="MsoNormal"><br><br clear="all"><u></u><u></u></p><div><p class="MsoNormal"><u></u> <u></u></p></div><p class="MsoNormal">-- <u></u><u></u></p><div><p class="MsoNormal">Best regards,<br>Michael<u></u><u></u></p></div></div></div></div></div></div></div></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">Best regards,<br>Michael</div>
</div></div>