Acknowledgement sent
to Guillem Jover <[email protected]>:
New Bug report received and forwarded. Copy sent to Aigars Mahinovs <[email protected]>.
(Wed, 08 Nov 2023 12:15:04 GMT) (full text, mbox, link).
Subject: dlt-daemon: Runs daemon as user nobody with owned files on fsys
Date: Wed, 8 Nov 2023 13:12:53 +0100
Package: dlt-daemon
Version: 2.18.0-1
Severity: serious
Tags: security
Hi!
This daemon runs as user nobody, while creating multiple files on the
filesystem owned by the same user, which are used as part of its
security protection. This is a security issue, given that other
daemons on the system might be running as the same user, and worse
when dlt-daemon is writing and parsing files from hardcoded paths
under /tmp.
From base-passwd/users-and-groups.txt.gz:
,---
nobody, nogroup
Daemons that need not own any files sometimes run as
user nobody and group nogroup, although using a
dedicated user is far preferable. Thus, no files on a
system should be owned by this user or group.
(Technically speaking, it does no harm for a file to be
owned by group nogroup as long as the ownership confers
no additional privileges, that is if the group and other
permission bits are equal. However, this is sloppy
practice and should be avoided.)
If root-squashing is in use over NFS, root access from
the client is performed as user nobody on the server.
`---
If you are going to fix this by using a dedicated user/group, please
make sure to namespace them with «_» to distinguish them as system
users and avoid unnecessary collisions with non-system, users. (Such
as _dlt or similar.)
[ The version I used is the earliest I found with the same issue from
the tracker.d.o page, earlier version might be affected too, dunno. ]
Thanks,
Guillem
Reply sent
to Gianfranco Costamagna <[email protected]>:
You have taken responsibility.
(Tue, 21 Nov 2023 16:09:05 GMT) (full text, mbox, link).
Notification sent
to Guillem Jover <[email protected]>:
Bug acknowledged by developer.
(Tue, 21 Nov 2023 16:09:05 GMT) (full text, mbox, link).
Subject: Bug#1055580: fixed in dlt-daemon 2.18.10-8
Date: Tue, 21 Nov 2023 16:04:09 +0000
Source: dlt-daemon
Source-Version: 2.18.10-8
Done: Gianfranco Costamagna <[email protected]>
We believe that the bug you reported is fixed in the latest version of
dlt-daemon, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Gianfranco Costamagna <[email protected]> (supplier of updated dlt-daemon package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 21 Nov 2023 13:18:22 +0100
Source: dlt-daemon
Built-For-Profiles: noudeb
Architecture: source
Version: 2.18.10-8
Distribution: unstable
Urgency: medium
Maintainer: Aigars Mahinovs <[email protected]>
Changed-By: Gianfranco Costamagna <[email protected]>
Closes: 1055580
Changes:
dlt-daemon (2.18.10-8) unstable; urgency=medium
.
* Make sure dlt runs as _dlt user, not as nobody (Closes: #1055580)
* Start using upstream service files.
* Enable systemd watchdog
Checksums-Sha1:
5e63ba1ad2dbfb50f3ab97b5feba9a362cda2fbe 2147 dlt-daemon_2.18.10-8.dsc
7a806ae68a1bf306bbdcefa8db05b78ef396528c 7372 dlt-daemon_2.18.10-8.debian.tar.xz
330087dc0c1ce466f982e0d2f980fb81039d54fd 9817 dlt-daemon_2.18.10-8_source.buildinfo
Checksums-Sha256:
6a13d7159dd5dcd4f32d1be0c47e726b7b6bb9ca2d061a28d077aa61a4ce5484 2147 dlt-daemon_2.18.10-8.dsc
52cdd1c010440d8304816b172280a0f0eaaf07b0c3935583713b98f306a3bee9 7372 dlt-daemon_2.18.10-8.debian.tar.xz
df0fccaeb146eb000709d2fdd058de502f30e3721c64543b5c926b366103a9ae 9817 dlt-daemon_2.18.10-8_source.buildinfo
Files:
4f44878f979f51a34d9164b55f8a760f 2147 libs optional dlt-daemon_2.18.10-8.dsc
46df7f263861bce808ad535da7343557 7372 libs optional dlt-daemon_2.18.10-8.debian.tar.xz
8cbf0c75a80cc4f1cea30b817234c072 9817 libs optional dlt-daemon_2.18.10-8_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEkpeKbhleSSGCX3/w808JdE6fXdkFAmVc0fUACgkQ808JdE6f
Xdm0ZQ//eg8K8YWQhm1IgvGocbmzOuPMR+205nEQsmZTfT8lukJrLRUeTk33bsLr
vRgoFD3H9cVjtgJgCrWxkgpNVnGYnOmNbKlQQWo9pO77RHye6Z8DcCGEIfPP2okG
TZpdULfNOVfmwfvc0KhFsZT8mKgtPl3yUn8NZsCy1apRNP+73EPExOaAzO7tZcos
LXoBrQkL3QWFwtkblA2C9kIGkkI1bD8Wnm1wninqDZs7gxoBq1eIo379fVc8Vtdf
R6EAxKmhdTO4YR2R8+XMIC4YGDYqclM/Zcg0HQQxB9RTc+KLFYrTreobDKW/DJ+a
j58ses3jD9Lkv1UrRkuB1/4GXpMYWfRWFKzr7I8U/xTX8MeAQ44vjvsMzCMhbZSo
X31B4EB9d6PjGhpY2cTaCbZZf4yLx3f/O1J+bezqw/bms+V5pZIO3jaVos31Bp5B
z2LKo31QdYmK17IRP84j1B5wiZbf00FrCT9woLG0pf+KdhwgT+Tj0Nj9sITej0Kw
KY0b/DL3CniVeD2S5WSKNR9v4iiAJ6gsWTewdziltP9sW9aNrsHuVUz9mLIn4MSL
cKLgLDhFhNJIsu1DybH89vEPp1Xyyz0uKo5TZAsxzYIhgtZSeLrnczenOEs/eg2v
gFfUMCeiYS6yia+DTBA9IyXYODUDvy/w34hsAlZgYYBM6rdx9zE=
=sJ8g
-----END PGP SIGNATURE-----
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.