|

»

Bug#553374: Proxy password in apt.conf is is readable by all users

View: New views

5 Messages — Rating Filter: Alert me

	Bug#553374: Proxy password in apt.conf is is readable by all users by Yohann Lepage-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Package: apt Version: 0.7.23.1 Severity: wishlist Hi, I filled the proxy configuration to install Debian. After installation, the configuration of proxy is in /etc/apt.conf : Acquire::http::Proxy "http://user:password@...:8080"; However the permissions of apt.conf is : 188620-rw-r - r - 1 root root 68 oct 30 08:26 apt.conf The unencrypted proxy password in apt.conf is is readable by all users ! The rights on apt.conf should not they be more restrictive ? Or include the password in an other file with less rights ? Regards, Yohann Lepage -- Package-specific info: -- apt-config dump -- APT ""; APT::Architecture "i386"; APT::Build-Essential ""; APT::Build-Essential:: "build-essential"; APT::Install-Recommends "0"; APT::Install-Suggests "0"; APT::Acquire ""; APT::Acquire::Translation "environment"; APT::Authentication ""; APT::Authentication::TrustCDROM "true"; APT::NeverAutoRemove ""; APT::NeverAutoRemove:: "^linux-image."; APT::NeverAutoRemove:: "^linux-restricted-modules."; APT::Periodic ""; APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "0"; APT::Periodic::AutocleanInterval "0"; APT::Update ""; APT::Update::Post-Invoke-Success ""; APT::Update::Post-Invoke-Success:::: "touch /var/lib/apt/periodic/update-success-stamp 2>/dev/null \|\| true"; APT::Archives ""; APT::Archives::MaxAge "30"; APT::Archives::MinAge "2"; APT::Archives::MaxSize "500"; Dir "/"; Dir::State "var/lib/apt/"; Dir::State::lists "lists/"; Dir::State::cdroms "cdroms.list"; Dir::State::userstatus "status.user"; Dir::State::status "/var/lib/dpkg/status"; Dir::Cache "var/cache/apt/"; Dir::Cache::archives "archives/"; Dir::Cache::srcpkgcache "srcpkgcache.bin"; Dir::Cache::pkgcache "pkgcache.bin"; Dir::Etc "etc/apt/"; Dir::Etc::sourcelist "sources.list"; Dir::Etc::sourceparts "sources.list.d"; Dir::Etc::vendorlist "vendors.list"; Dir::Etc::vendorparts "vendors.list.d"; Dir::Etc::main "apt.conf"; Dir::Etc::parts "apt.conf.d"; Dir::Etc::preferences "preferences"; Dir::Etc::preferencesparts "preferences.d"; Dir::Bin ""; Dir::Bin::methods "/usr/lib/apt/methods"; Dir::Bin::dpkg "/usr/bin/dpkg"; Dir::Log "var/log/apt"; Dir::Log::Terminal "term.log"; Unattended-Upgrade ""; Unattended-Upgrade::Allowed-Origins ""; Unattended-Upgrade::Allowed-Origins:: "Debian stable"; DPkg ""; DPkg::Pre-Install-Pkgs ""; DPkg::Pre-Install-Pkgs:: "/usr/sbin/dpkg-preconfigure --apt \|\| true"; DPkg::Post-Invoke ""; DPkg::Post-Invoke:: "if [ -d /var/lib/update-notifier ]; then touch /var/lib/update-notifier/dpkg-run-stamp; fi"; -- (no /etc/apt/preferences present) -- -- (/etc/apt/sources.list present, but not submitted) -- -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.30-1-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apt depends on: ii debian-archive-keyring 2009.01.31 GnuPG archive keys of the Debian a ii libc6 2.9-25 GNU C Library: Shared libraries ii libgcc1 1:4.4.1-4 GCC support library ii libstdc++6 4.4.1-4 The GNU Standard C++ Library v3 apt recommends no packages. Versions of packages apt suggests: pn apt-doc <none> (no description available) ii aptitude 0.4.11.11-1+b2 terminal-based package manager ii bzip2 1.0.5-3 high-quality block-sorting file co ii dpkg-dev 1.15.4.1 Debian package development tools ii lzma 4.43-14 Compression method of 7z format in ii python-apt 0.7.13.3 Python interface to libapt-pkg ii synaptic 0.62.9 Graphical package manager -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Bug#553374: Proxy password in apt.conf is is readable by all users by Christian Perrier :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Quoting Yohann Lepage (yohannlepage@...): > Package: apt > Version: 0.7.23.1 > Severity: wishlist > > Hi, > > I filled the proxy configuration to install Debian. > After installation, the configuration of proxy is in /etc/apt.conf : > Acquire::http::Proxy "http://user:password@...:8080"; > > However the permissions of apt.conf is : > 188620-rw-r - r - 1 root root 68 oct 30 08:26 apt.conf > > The unencrypted proxy password in apt.conf is is readable by all users ! > > The rights on apt.conf should not they be more restrictive ? Or include the password in an other file with less rights ? Why not in a file in /etc/apt/apt.conf.d which you could set to 0600? signature.asc (205 bytes) Download Attachment
	Bug#553374: Proxy password in apt.conf is is readable by all users by Yohann Lepage-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message 2009/10/31 Christian Perrier <bubulle@...>: > Why not in a file in /etc/apt/apt.conf.d which you could set to 0600? Yes it's a good idea. But this is not the default behavior. -- Yohann L. GPG fingerprint : C8DB 2466 E48D 4323 669D C8AC 9833 136F BA04 8DC4 http://www.2xyo.info -- To UNSUBSCRIBE, email to debian-bugs-dist-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...
	Bug#553374: Proxy password in apt.conf is is readable by all users by Christian Perrier :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message reassign 553374 apt-setup retitle 553374 Should make proxy password only readable by root thanks Quoting Yohann Lepage (yohannlepage@...): > 2009/10/31 Christian Perrier <bubulle@...>: > > Why not in a file in /etc/apt/apt.conf.d which you could set to 0600? > Yes it's a good idea. But this is not the default behavior. APT has nothing to do with this, then. The proxy setting is put in apt.conf by D-I when it configures APT for the first time. So, what could be done is to put an apt.conf configuration snippet in /etc/apt/apt.conf.d, make it readable only by root....and do this only when proxy settings contain a user/password pair. I'm not completely sure this is such a great idea. What about possible use cases for APT when users are not root? I believe that: - the user/password used to access the proxy should not be a login that belongs to a real user (as it means using a named login for a role use) - all this should be left up to the local administrator. Reassigning anyway. If something is done, that will be in the apt-setup component of D-I. signature.asc (205 bytes) Download Attachment
	Processed: Re: Bug#553374: Proxy password in apt.conf is is readable by all users by Debian Bug Tracking System :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Processing commands for control@...: > reassign 553374 apt-setup Bug #553374 [apt] Proxy password in apt.conf is is readable by all users Bug reassigned from package 'apt' to 'apt-setup'. Bug No longer marked as found in versions apt/0.7.23.1. > retitle 553374 Should make proxy password only readable by root Bug #553374 [apt-setup] Proxy password in apt.conf is is readable by all users Changed Bug title to 'Should make proxy password only readable by root' from 'Proxy password in apt.conf is is readable by all users' > thanks Stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) -- To UNSUBSCRIBE, email to deity-REQUEST@... with a subject of "unsubscribe". Trouble? Contact listmaster@...