Summary: | x11-misc/xfe : directory masks ignored when root creates new files on Samba and NFS | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED INVALID | ||
Severity: | minor | CC: | desktop-misc |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2014/02/24/2 | ||
Whiteboard: | B4 [upstream] | ||
Package list: | Runtime testing required: | --- |
Description
Agostino Sarubbo
2014-02-26 13:46:58 UTC
Debian has (of course) patched this behaviour out. Red Hat has decided this is not a security issue. Upstream shows no patches/issues related to these changes. So it's just Debian carrying the patch. And the only thing Debian's patch changes is to add this check: if(getuid()>0) when setting the umask. I don't think it's possible to determine what a safe UID would be in this case. >0 certainly isn't it. Also note that at this point you're still running as root a graphical tool intended to manipulate and execute files. Anything could happen. Per previous comments and the reports from various distributions this is not a security issue, but a policy issue on the proper use of root logins. |