[Bug 523134] [NEW] origami should not use 'nogroup' for group file ownership

Seth Arnold seth.arnold at gmail.com
Wed Feb 17 10:42:12 UTC 2010

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: origami

Origami is using the 'nogroup' group for its group file ownership;
instead, a special group must be created in the same fashion as the
'origami' user.

'nogroup' (and 'nobody') exist so that programs, such as NFS daemons,
can run with those uids, and reasonably expect to access only files in
the filesystem with world (other) read/write access. If there are files
with group owner 'nogroup' in the filesystem, then the point of the
'nogroup' group is broken. (The use of nobody/nogroup for overflow
uid/gid is unfortunate, and yet another compounding reason why origami
shouldn't be using 'nogroup' for file ownership.)

Because the files created by origami do need a group owner of some sort,
I recommend creating a new group when creating a new user. That way, no
other processes on the system get unexpected privileges to the
Folding at Home files, and Folding at Home does not get unexpected privileges
to other files that might also be making the same mistake. :)


** Affects: origami (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

origami should not use 'nogroup' for group file ownership
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com

More information about the universe-bugs mailing list