Summary: | mergemaster as unprivileged user dumps system default master.passwd into /var/tmp/temproot | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | John D Jones III <jnbek1972> | ||||
Component: | bin | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
Status: | New --- | ||||||
Severity: | Affects Many People | CC: | emaste, freebsd, mmokhi, wjw | ||||
Priority: | --- | ||||||
Version: | 10.2-STABLE | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
See Also: | https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=252417 | ||||||
Attachments: |
|
Description
John D Jones III
2015-08-26 01:44:12 UTC
I think it uses /usr/src/etc/* as base and then it diffs all that to the system etc, not the actual one installed in /etc/ so I don't think there's any threat. if you have a look at /usr/src/etc/ you will see a generic master.passwd which should be the same one youre looking at. a normal user has no access to /etc/master.passwd -rw------- 1 root wheel 2612 Aug 24 03:06 /etc/master.passwd -rw-r--r-- 1 root wheel 1640 Aug 18 12:26 /usr/src/etc/master.passwd This bug also affects me on 10.1-Release and 10.1-stable i think we [as writer of this bash script] should first of all check user privileges then run main loop. [just a simple guess] Created attachment 160369 [details]
warn user when not running as root
As anonymous reports this is the stock FreeBSD-provided master.passwd which has no privileged information. Thus this is (only) a QOI issue. |