Re: [bug #29755] gdomap information disclosure vulnerabilities

[Richard Frith-Macdonald]

On 5 May 2010, at 16:04, Dan Rosenberg wrote:

> I'm still a bit unsure about this fix.  I think that it should either
> be made explicit that gdomap is never intended to be installed setuid
> (and as a result, is never installed that way), or it should be fixed
> so that it's completely safe to run setuid - choosing somewhere in
> between leaves some users open to vulnerability.

I think the current state is that it's safe to run setuid to root.
But ... that doesn't mean we should start recommending having it setuid.

> I haven't seen the actual code of the fix, but it sounds as if it's a
> good start but incomplete.  As Fred mentioned, unprivileged users
> should not be able to open and parse other users' files at all, even
> if the error information returned is limited.

I'm not sure about that ... when there's no security issue in doing so, it 
seems reasonable to be able to have different users share common configuration 
information (after all, that's what group permissions are for).  Forcing all 
users to have their own separate config files would rather defeat the point.

It's hard to see how the current code (reporting problem line number) could 
provide useful information to a cracker, but I suppose we could simply report 
nothing at all.