Bug 32541

Summary: why not make /etc/default/ readble by all?
Product: Sisyphus Reporter: Ivan Zakharyaschev <imz>
Component: shadow-utilsAssignee: Mikhail Efremov <sem>
Status: CLOSED FIXED QA Contact: qa-sisyphus
Severity: enhancement    
Priority: P3 CC: ldv, sem
Version: unstable   
Hardware: all   
OS: Linux   

Description Ivan Zakharyaschev 2016-09-28 11:38:26 MSK 
shadow-utils-4.1.4.2-alt8


$ rpm -qf /etc/default -lv | fgrep /etc/default
drwxr-x--x    2 root    root                0 июн 21  2012 /etc/default
-rw-------    1 root    root              118 июн 21  2012 /etc/default/useradd
$ 

Why should the list of things that are in the directory be secret?


$ egrep '^/etc/default' /ALT/Sisyphus/{noarch,x86_64}/base/contents_index
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/eeepc-acpi-scripts	eeepc-acpi-scripts
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/google-chrome	google-chrome-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/jetty	jetty
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/vivaldi	vivaldi-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/yandex-browser	yandex-browser-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/yandex-browser-beta	yandex-browser-preinstall
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default	shadow-utils
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs2-util
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs2-util-ng
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs3-util
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/cryptmount	cryptmount
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/grub	grub2-common
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/ld10k1	/etc/default/ld10k1
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/ltsp-client-setup	ltsp-client
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/useradd	shadow-utils
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/vservers-default	util-vserver
$ 

Are there plans for /etc/default/ to hold some files with secret names?
Comment 1 Ivan Zakharyaschev 2016-09-28 11:58:13 MSK 
In Ubuntu Trusty, it's readable by all.
Comment 2 Repository Robot 2017-03-07 20:23:37 MSK 
shadow-1:4.4-alt1 -> sisyphus:

* Fri Mar 03 2017 Mikhail Efremov <sem@altlinux> 1:4.4-alt1
- Don't own %_sysconfdir/default/ (closes: #32541).
- Fix possible crash if gmtime() returns NULL.
- chsh: Fix duplicate warning.
- Enable audit support.
- Don't package ChangeLog/NEWS files.
- Spec cleanup.
- submap: Add control scripts for newuidmap/newgidmap.
- Fix build: ignore write() return value.
- configure.ac: Drop man/po/Makefile.
- Drop FORCE_SHADOW.
- Don't create missing files.
- Fixes from usptream git:
  + Keep the permissions of the original file when creating a backup.
  + useradd: Read defaults after changing root directories.
  + Don't crash on bogus keys in login.defs if PAM is enabled.
  + Last bits of enabling subuids.
  + Make login.def files valid ASCII instead of UTF-8.
  + include getdef.h for getdef_bool prototype.
  + Print error message if SELinux file context manipulation fails.
  + Fix regression in useradd not loading defaults properly.
  + */Makefile.am: Replace INCLUDES with AM_CPPFLAGS.
- Updated to 4.4 (fixes CVE-2016-6252).