Ubuntu
base-files package

  1. Bug #13795
  2. Comment #5

Comment 5 for bug 13795

Revision history for this message
In , Santiago Vila Doncel (sanvila-unex) wrote : Re: Bug#299007: base-files: Insecure PATH in /root/.profile

severity 299007 wishlist
reassign 299007 debian-policy
thanks

On Fri, 11 Mar 2005, Paul Szabo wrote:

> Package: base-files
> Version: 3.0.2
> Severity: critical
> Tags: patch security
> Justification: root security hole
>
> I recently noticed that /usr/local and /usr/local/{bin,sbin} are
> group-writable and owned by root:staff. This is wrong: those directories
> are in the default PATH for root. They (and files within) should be
> root-owned: group staff users or become-any-user-but-root bugs should not
> be able to trojan and thus get root.
> [...]

This is not a bug. base-files follows policy. If you don't like
current policy, amend it. For your benefit, I'm doing a reassign.
Now you have to make a policy proposal. This is explained in the
debian-policy package.