Please read this before reporting a bug:
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
https://wiki.archlinux.org/title/Bug_reporting_guidelines
Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.
REPEAT: Do NOT report bugs for outdated packages!
FS#20148 - [oidentd] set default user id and group to something else than root
Attached to Project:
Community Packages
Opened by Dirk (dsohler) - Monday, 12 July 2010, 10:21 GMT
Last edited by Mateusz Herych (Partition) - Tuesday, 13 July 2010, 01:21 GMT
Opened by Dirk (dsohler) - Monday, 12 July 2010, 10:21 GMT
Last edited by Mateusz Herych (Partition) - Tuesday, 13 July 2010, 01:21 GMT
|
DetailsDescription:
When running oidentd as daemon via the regular daemon administration procedure (entry in DAEMONS in rc.conf, starting and stopping as root via /etc/rc.d/oidentd) in runs as root, which is – in fact – a security hole. oidentd supports starting as, lets say, nobody:nobody very well. By applying the patch attached oidentd it checks for a file “/etc/default/oidentd” and sources it (maybe there is a better solution available because sourcing user generated files is dangerous, too). In this file there sould be defined two variables: USER and GROUP. The script checks if this two variables are set to something else than an empty string. If the two variables are empty, secure default values (nobody:nobody) are used. Additional info: * 2.0.8-2 Steps to reproduce: * Install oidentd * Setup a configuration file for user rights, etc. * start oidentd via default start script in /etc/rc.d 
oidentd.patch
(0.8 KiB)
|
This task depends upon