#32541 – why not make /etc/default/ readble by all?

Bug 32541 - why not make /etc/default/ readble by all?

Summary: why not make /etc/default/ readble by all?

Status:	CLOSED FIXED

Alias:	None

Product:	Sisyphus
Classification:	Development
Component:	shadow-utils (show other bugs)
Version:	unstable
Hardware:	all Linux

Importance:	P3 enhancement
Assignee:	Mikhail Efremov
QA Contact:	qa-sisyphus

URL:
Keywords:

Depends on:
Blocks:

Reported:	2016-09-28 11:38 MSK by Ivan Zakharyaschev
Modified:	2017-03-07 20:23 MSK (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ivan Zakharyaschev 2016-09-28 11:38:26 MSK

shadow-utils-4.1.4.2-alt8


$ rpm -qf /etc/default -lv | fgrep /etc/default
drwxr-x--x    2 root    root                0 июн 21  2012 /etc/default
-rw-------    1 root    root              118 июн 21  2012 /etc/default/useradd
$ 

Why should the list of things that are in the directory be secret?


$ egrep '^/etc/default' /ALT/Sisyphus/{noarch,x86_64}/base/contents_index
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/eeepc-acpi-scripts	eeepc-acpi-scripts
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/google-chrome	google-chrome-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/jetty	jetty
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/vivaldi	vivaldi-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/yandex-browser	yandex-browser-preinstall
/ALT/Sisyphus/noarch/base/contents_index:/etc/default/yandex-browser-beta	yandex-browser-preinstall
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default	shadow-utils
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs2-util
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs2-util-ng
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/aufs	aufs3-util
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/cryptmount	cryptmount
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/grub	grub2-common
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/ld10k1	/etc/default/ld10k1
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/ltsp-client-setup	ltsp-client
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/useradd	shadow-utils
/ALT/Sisyphus/x86_64/base/contents_index:/etc/default/vservers-default	util-vserver
$ 

Are there plans for /etc/default/ to hold some files with secret names?

Comment 1 Ivan Zakharyaschev 2016-09-28 11:58:13 MSK

In Ubuntu Trusty, it's readable by all.

Comment 2 Repository Robot 2017-03-07 20:23:37 MSK

shadow-1:4.4-alt1 -> sisyphus:

* Fri Mar 03 2017 Mikhail Efremov <sem@altlinux> 1:4.4-alt1
- Don't own %_sysconfdir/default/ (closes: #32541).
- Fix possible crash if gmtime() returns NULL.
- chsh: Fix duplicate warning.
- Enable audit support.
- Don't package ChangeLog/NEWS files.
- Spec cleanup.
- submap: Add control scripts for newuidmap/newgidmap.
- Fix build: ignore write() return value.
- configure.ac: Drop man/po/Makefile.
- Drop FORCE_SHADOW.
- Don't create missing files.
- Fixes from usptream git:
  + Keep the permissions of the original file when creating a backup.
  + useradd: Read defaults after changing root directories.
  + Don't crash on bogus keys in login.defs if PAM is enabled.
  + Last bits of enabling subuids.
  + Make login.def files valid ASCII instead of UTF-8.
  + include getdef.h for getdef_bool prototype.
  + Print error message if SELinux file context manipulation fails.
  + Fix regression in useradd not loading defaults properly.
  + */Makefile.am: Replace INCLUDES with AM_CPPFLAGS.
- Updated to 4.4 (fixes CVE-2016-6252).