|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-FIND: shadowsocks-libev: Recursive chown in user owned directory | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Johannes Segitz <jsegitz> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | NEW --- | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | hillwoodroc |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/383671/ | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
can't assign it to the openSUSE contributor, sent him a mail Side note: this might be the result of an attempt to fix bug 1212862. |
A recent change in shadowsocks-libev introduced: 162 %post 163 %service_add_post %{name}-server.service 164 %service_add_post %{name}-client.service 165 %service_add_post %{name}-manager.service 166 %service_add_post %{name}-nat.service 167 %service_add_post %{name}-redir.service 168 %service_add_post %{name}-tunnel.service 169 %service_add_post %{name}-server@.service 170 %service_add_post %{name}-client@.service 171 %service_add_post %{name}-nat@.service 172 %service_add_post %{name}-redir@.service 173 %service_add_post %{name}-tunnel@.service 174 chown root:shadowsocks %{_sysconfdir}/shadowsocks -R This is not great from a security POV and I also fail to see why we do this. The group just has read permissions, but the shadowsocks-libev-config.json file in there has 644 anyway, so I doesn't really help. Can we drop this?