Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 91466 - net-analyzer/piwi: insecure file permission causes info leak
Summary: net-analyzer/piwi: insecure file permission causes info leak
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Default Configs (show other bugs)
Hardware: All Linux
: High enhancement (vote)
Assignee: Gentoo Security
URL:
Whiteboard: [removed] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2005-05-04 11:41 UTC by eromang
Modified: 2005-05-29 06:56 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description eromang 2005-05-04 11:41:57 UTC 
Hello,

The /etc/piwi/config.pl is world readable.

A malicious local user could obtain sensible informations such as login & password for mysql prelude - piwi access

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

Actual Results:  
This file is world readable

Expected Results:  
This file should not be world readable
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-04 23:10:59 UTC 
netmon please advise.
Comment 2 Daniel Black (RETIRED) gentoo-dev 2005-05-05 01:43:01 UTC 
Valid for piwi-0.8.0.20031109-r2. Fixed in piwi-0.8.0.20031109-r3

piwi-0.8.0.20031109-r2:
1214849    4 -rw-r--r--   1 root     root         1103 May  5 18:32 ./etc/piwi/config.pl
1214850    4 -rw-r--r--   1 root     root          371 May  5 18:32 ./etc/piwi/piwi-apache.conf


piwi-0.8.0.20031109-r3:
1214077    4 -rw-r-----   1 root     root         1103 May  5 18:31 ./etc/piwi/config.pl
1214079    4 -rw-r--r--   1 root     root          371 May  5 18:31 ./etc/piwi/piwi-apache.conf

Major outstanding bug on piwi - bug #66167

Aaron/Elead - is /etc/piwi/piwi-apache.conf a valid location for apache conf files.

Thoughts on package removal?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-09 23:08:30 UTC 
netmon is this ready for stable marking?
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-11 07:24:26 UTC 
Is this ready for stable marking or going to be masked?
Comment 5 Marcelo Goes (RETIRED) gentoo-dev 2005-05-11 11:25:39 UTC 
There is still bug 66167 open regarding PIWI.
Pesonally, I'd mask PIWI, prewikka should be able to replace it when an ebuild is available.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-05-15 08:25:32 UTC 
This is a default config bug... If you put passwords in clear in there, protect the file dammit.

+ If PIWI has an outstanding bug I agree it should be masked anyway.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-16 13:05:31 UTC 
Ok, there is a prewikka ebuild in the pipe on bug #87617. I'd say get it in the tree and remove piwi. netmon?
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-25 06:54:23 UTC 
netmon please comment.
Comment 9 Marcelo Goes (RETIRED) gentoo-dev 2005-05-25 10:50:58 UTC 
That prewikka ebuild is a bit funky and I am not sure it can just be pushed into
the tree. Upstream made it tough to script an install in a sane manner.

Still, I think piwi should be masked for future deletion. When prewikka gets in
the tree, we can take piwi out.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-27 10:25:29 UTC 
Bug #66167 is not a regression. Either we should call arches to mark 
piwi-0.8.0.20031109-r3 stable or mask. netmon it's your package, what course 
of action do you propose?
Comment 11 Daniel Black (RETIRED) gentoo-dev 2005-05-27 17:26:16 UTC 
prewikka was commited in bug #87617. This is the replacement for piwi. After a  
little more testing piwi will be removed and a package move entry  
piwi->prewikka. 
 
I just masked it too.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-27 22:37:17 UTC 
Thx Daniel
Comment 13 Daniel Black (RETIRED) gentoo-dev 2005-05-29 05:57:41 UTC 
piwi removed from tree.
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-05-29 06:56:56 UTC 
Ready to close.