[Bug 508861] [NEW] bastille sets dpkg-statoverride permissions to 0000

Sun Jan 17 19:20:46 UTC 2010

Public bug reported:

Binary package hint: bastille

package: bastille 1:3.0.9-12
Ubuntu version: server 9.10

I opted to have bastille tighten up permissions on various system
administration binaries. The intended action was to set the permissions
(to 750 in most cases) and then use dpkg-statoverride to fix the
permissions at those levels, to prevent updates resetting the
permissions.

However, the code fails - and instead sets the dpkg-statoverride to
0000.

Therefore, on subsequent updates to those packages, the new binaries
have their permissions set to 0000 and can no longer be run (even by
root).

This is serious as it includes many important services and even
/sbin/init.

it is also tricky to diagnose, because it can be some time between
running bastille, and the failure of a service (after a subsequent and
unrelated update).

SAMPLE from bastille action log:
-----------------------------------------
{Wed Nov 18 23:07:29 2009} ACTION # sub GeneralPerms
{Wed Nov 18 23:07:29 2009} ACTION Answer to question
         FilePermissions.generalperms_1_1 is "Y".
{Wed Nov 18 23:07:29 2009} ACTION File exists, running chmod 488 /bin/mt{Wed Nov 18 23:07:29 2009} ACTION change permissions on /bin/mt from 100755  to 750
{Wed Nov 18 23:07:29 2009} ACTION chmod 750,"/bin/mt";
{Wed Nov 18 23:07:29 2009} ACTION Setting permissions with
         dpkg-statoverride:/usr/sbin/dpkg-statoverride --force --add #0 #0  0000 /bin/mt
....
[repeated many more times with many other binaries]

** Affects: bastille (Ubuntu)
     Importance: Undecided
         Status: New

-- 
bastille sets dpkg-statoverride permissions to 0000
https://bugs.launchpad.net/bugs/508861
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs