Date: Mon, 04 Mar 2024 10:55:21 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277470] Security Vulnerability: etcupdate incorrectly sets permissions for /var/db/etcupdate/conflicts/etc/master.passwd Message-ID: <bug-277470-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277470 Bug ID: 277470 Summary: Security Vulnerability: etcupdate incorrectly sets permissions for /var/db/etcupdate/conflicts/etc/master.passwd Product: Base System Version: 13.3-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: misc Assignee: bugs@FreeBSD.org Reporter: chris@cretaforce.gr I've encountered an issue while upgrading systems from 13.2 to 13.3. Upon executing the upgrade process using the following commands: cd /usr/src make buildworld make buildkernel make installkernel etcupdate -p make installworld etcupdate I noticed that during the final step (etcupdate), conflicts were detected in the files /etc/master.passwd and /etc/group. Consequently, I utilized `etcupdate resolve` to rectify these conflicts. Before resolving the conflicts, I checked the file /var/db/etcupdate/conflicts/master.passwd and found that it had insecure permissions: ls -la /var/db/etcupdate/conflicts/etc/master.passwd -rw-r--r-- 1 root wheel 5690 Feb 28 00:05 /var/db/etcupdate/conflicts/etc/master.passwd The file master.passwd contains encrypted root and user passwords, thereby presenting a significant security risk due to its unrestricted read access. Your attention to this matter would be greatly appreciated, and I remain available to provide any additional information or assistance required for troubleshooting. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277470-227>