[Secure-testing-team] Bug#593829: sabnzbdplus: sabnzbd.ini defaults to world-readable
P.M. van Aalten
debian at vanaalten.net
Sat Aug 21 11:33:44 UTC 2010
Justification: user security hole
After installing sabnzbdplus and configuring it, I found out that the main configuration file for sabnzbdplus is world-readable (it can be found in $HOME/.sabnzbd/sabnzbd.ini).
This config file contains my sabnzbd access password (which I could have chosen the same as my login password...) as well as my E-mail user name & password - all in plain text. Since this file is world-readable (644), these logins are available to everyone with access to the file.
A user can manually change this - setting it to 600 seems to work fine in my case - but someone 'just installing the package' may forget about this.
Unfortunately this file is not part of the list of files that gets installed - it is generated by sabnzbd itself at first startup. So it is not simply a matter of adding a chmod to the postinst file.
What I propose is to modify the init script (pseudocode):
if CONFIG in /etc/default/sabnzbdplus is set:
touch $CONFIG # well, maybe only if it didn't exist yet
chmod 600 $CONFIG # perhaps switchable in case one WANTS it world/group readable
touch /home/$USER/.sabnzbd/sabnzbd.ini # maybe not referring to /home
chmod 600 /home/$USER/.sabnzbd/sabnzbd.ini
(perhaps some chown commands should be added to this as well)
(and perhaps only do this if the config file didn't exist yet, so effectively at first run)
This way, a (empty) config file with proper security settings will be generated at the right location before first use. Not the nicest solution, but the best I can think of.
This issue seems to have been discussed already at sabnzbd forum - the conclusion was something like "the usenet password already is plain text, therefore no use hiding the user password - best is to simply change the ini file security settings". That's what I try to accomplish automatically with the proposal above.
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-486
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages sabnzbdplus depends on:
ii python 2.6.5-11 interactive high-level object-orie
ii python-cheetah 126.96.36.199-1 text-based template engine and Pyt
ii python-configobj 4.7.2+ds-1 simple but powerful config file re
ii python-feedparser 4.1-14 Universal Feed Parser for Python
ii python-support 1.0.9 automated rebuilding support for P
ii sabnzbdplus-theme-smpl 0.5.3-1 smpl interface templates for the S
Versions of packages sabnzbdplus recommends:
ii par2 0.4-11 Parity Archive Volume Set, for che
ii python-openssl 0.10-1 Python wrapper around the OpenSSL
ii python-yenc 0.3+debian-2+b1 yEnc encoding/decoding extension f
ii rar 2:3.9.3-1 Archiver for .rar files
ii sabnzbdplus-theme-classi 0.5.3-1 classic interface templates for th
ii sabnzbdplus-theme-plush 0.5.3-1 plush interface templates for the
ii unrar 1:3.8.5-1 Unarchiver for .rar files (non-fre
ii unzip 6.0-4 De-archiver for .zip files
Versions of packages sabnzbdplus suggests:
pn python-dbus <none> (no description available)
pn sabnzbdplus-theme-mobile <none> (no description available)
-- Configuration Files:
-- no debconf information
More information about the Secure-testing-team