Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 125851

Summary: glsa-check (from gentoolkit) should not be world executable
Product: Portage Development Reporter: Björn Michaelsen <bjoern.michaelsen>
Component: UnclassifiedAssignee: Portage team <dev-portage>
Status: RESOLVED WONTFIX    
Severity: normal    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Björn Michaelsen 2006-03-11 10:46:07 UTC 
in app-portage/gentoolkit-0.2.1 glsa-check has the folowing permissions:
-rwxr-xr-x  1 root root 8,9K 25. Jan 03:43 /usr/bin/glsa-check

This is a Bad Thing because any unprivileged user can get information very fast about exploitable security holes on the system.
Proposed solution:
glsa-check should have permissions set to something like this:
-rwxr-x---  1 root portage 8,9K 25. Jan 03:43 /usr/bin/glsa-check
Comment 1 solar (RETIRED) gentoo-dev 2006-03-11 11:15:26 UTC 
Removing the executable bit from glsa-check in no way prevents normal users from 
obtaining the same information. User can still copy his/her own copy of 
glsa-check to the box or simply look at the vdb. glsa-check is also intended 
to be run from non root cronjob scripts.

As the user you have the option to remove the executable bits on your own 
/var/db/pkg/* but that is not a change we will make to portage or glsa-check.

Sorry closing as WONTFIX. Have a good day.