Dispatch-conf (both portage stable and SVN trunk) can include in its log file some chunks of config that should be hidden from non-root users. Test case is as follows: - install a dummy package whith a 0600 /etc/secret_password config file: ========================================================= # This is your secret, don't show it to users password="your_password" ========================================================= - set your password - bump the package with an improved config file: ========================================================= # This is your secret, don't show it to users # Oh, and don't update it with dispatch-conf! password="your_password" ========================================================= - update it with dispatch-conf - read the 0644 /var/log/dispatch-conf.log file: ========================================================= --- /etc/secret_password 2005-10-05 12:22:42.000000000 +0200 +++ /etc/._mrg0000_secret_password 2005-10-05 12:23:32.000000000 +0200 @@ -1,2 +1,3 @@ # This is your secret, don't show it to users +# Oh, and don't update it with dispatch-conf! password="my_secret_password" ========================================================= The attached patch prevent that by chmoding the log file 0600. Reproducible: Always Steps to Reproduce:
Created attachment 69908 [details, diff] dispatch-conf--chmod_log_file.patch
Current portage stable should be updated with TGL's patch.
Applied. 2.0.53 is nearing stable (1~2 weeks?) and logging is not enabled by default, so I'd prefer to wait... Would that be okay?
Never mind... just applied to stable. 2.0.53_rc4 will be out soon and will have the fix as well, but need to wait for the mirrors to catch up.
Thx Jason. This one is ready for GLSA decision. I tend to vote NO.
Not quite, but almost.. When I meant waiting for the mirrors, I meant that I need to get the distfile out there before can commit the ebuild. Hence, arch should be out soon/already but ~arch will still be a few hours away.
Arch is what counts, unless Portage is only unstable on some arches:-) Patch file was updated in CVS, that is good enough for me.
agree with jaervosz, vote NO
info leaks are low priority. no vote also.
Thx for the report TGL. Closing without GLSA. Feel free to reopen if you disagree.