> Package: base-files
> Version: 3.0.2
> Severity: critical
> Tags: patch security
> Justification: root security hole
>
> I recently noticed that /usr/local and /usr/local/{bin,sbin} are
> group-writable and owned by root:staff. This is wrong: those directories
> are in the default PATH for root. They (and files within) should be
> root-owned: group staff users or become-any-user-but-root bugs should not
> be able to trojan and thus get root.
> [...]
This is not a bug. base-files follows policy. If you don't like
current policy, amend it. For your benefit, I'm doing a reassign.
Now you have to make a policy proposal. This is explained in the
debian-policy package.
severity 299007 wishlist
reassign 299007 debian-policy
thanks
On Fri, 11 Mar 2005, Paul Szabo wrote:
> Package: base-files {bin,sbin} are any-user- but-root bugs should not
> Version: 3.0.2
> Severity: critical
> Tags: patch security
> Justification: root security hole
>
> I recently noticed that /usr/local and /usr/local/
> group-writable and owned by root:staff. This is wrong: those directories
> are in the default PATH for root. They (and files within) should be
> root-owned: group staff users or become-
> be able to trojan and thus get root.
> [...]
This is not a bug. base-files follows policy. If you don't like
current policy, amend it. For your benefit, I'm doing a reassign.
Now you have to make a policy proposal. This is explained in the
debian-policy package.