Debian bug report logs - #1696 , boring messages ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1696: inetd manpage infelicity could cause alarm Reply-To: Ian Jackson , debian-bugs@pixar.com Resent-From: Ian Jackson Resent-To: debian-devel@pixar.com Resent-Date: Tue, 17 Oct 1995 19:48:02 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: netbase X-Debian-PR-Keywords: Received: via spool for debian-bugs; Tue, 17 Oct 1995 19:48:02 GMT Received: with rfc822 via encapsulated-mail; Tue, 17 Oct 1995 19:43:49 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t5Hts-00061yC; Tue, 17 Oct 95 12:42 PDT Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA20004 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Tue, 17 Oct 1995 12:41:42 -0700 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0t5Ivv-0007u9C; Tue, 17 Oct 95 20:48 GMT Received: by chiark.chu.cam.ac.uk id m0t5HtX-0002axC (Debian /\oo/\ Smail3.1.29.1 #29.33); Tue, 17 Oct 95 20:41 BST Message-Id: Date: Tue, 17 Oct 95 20:41 BST From: Ian Jackson To: Debian bugs submission address Package: netbase Version: 1.16-1 The inetd(8) manpage says: The user entry should contain the user name of the user as whom the serv- er should run. This allows for servers to be given less permission than root. An optional group name can be specified by appending a dot to the user name followed by the group name. This allows for servers to run with a different (primary) group id than specified in the password file. If a group is specified and user is not root, the supplementary groups associ- ated with that user will still be set. I'm not sure whether that should be `If no group is specified ...', but that behaviour would be a security hole if it were the case. People who write a userid in the inetd.conf rightly expect inetd to set the gid and supplementary groups as well. Luckily inetd does actually do this. I tried 1557 stream tcp nowait nobody /usr/sbin/tcpd /usr/bin/id and got -chiark:~> telnet localhost 1557 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) Connection closed by foreign host. -chiark:~> So, I think this is a documentation bug only. I haven't done any experiments with specifying a group in the inetd.conf. Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1696: Acknowledgement (was: inetd manpage infelicity could cause alarm) In-Reply-To: References: Thank you for the problem report you have sent regarding Debian GNU/Linux. This is an automatically generated reply, to let you know your message has been received. It is being forwarded to the developers' mailing list for their attention; they will reply in due course. If you wish to submit further information on your problem, please send it to debian-bugs@pixar.com, but please ensure that the Subject line of your message starts with "Bug#1696" or "Re: Bug#1696" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent to debian-devel@pixar.com: Subject: Bug#1696: inetd manpage infelicity could cause alarm Reply-To: Ian Jackson , debian-bugs@pixar.com Resent-From: Ian Jackson Resent-To: debian-devel@pixar.com Resent-Date: Wed, 18 Oct 1995 01:03:02 GMT Resent-Message-ID: Resent-Sender: iwj10@cus.cam.ac.uk X-Debian-PR-Package: netbase X-Debian-PR-Keywords: Received: via spool for debian-bugs; Wed, 18 Oct 1995 01:03:02 GMT Received: with rfc822 via encapsulated-mail; Wed, 18 Oct 1995 00:53:58 GMT Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t5MkZ-00060BC; Tue, 17 Oct 95 17:52 PDT Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA13459 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Tue, 17 Oct 1995 17:52:29 -0700 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0t5Nme-0007u9C; Wed, 18 Oct 95 01:59 GMT Received: by chiark.chu.cam.ac.uk id m0t5Mk7-0002YHC (Debian /\oo/\ Smail3.1.29.1 #29.33); Wed, 18 Oct 95 01:52 BST Message-Id: Date: Wed, 18 Oct 95 01:52 BST From: Ian Jackson To: debian-bugs@pixar.com In-Reply-To: <9510172245.AA26840@server.et-inf.fho-emden.de> References: <9510172245.AA26840@server.et-inf.fho-emden.de> Peter Tobias writes ("Re: Bug#1696: inetd manpage infelicity could cause alarm"): > Ian Jackson wrote: > > The inetd(8) manpage says: > > The user entry should contain the user name of the user as whom the serv- > > er should run. This allows for servers to be given less permission than > > root. An optional group name can be specified by appending a dot to the > > user name followed by the group name. This allows for servers to run with > > a different (primary) group id than specified in the password file. If a > > group is specified and user is not root, the supplementary groups associ- > > ated with that user will still be set. > > > I'm not sure whether that should be `If no group is specified ...', > > but that behaviour would be a security hole if it were the case. > > People who write a userid in the inetd.conf rightly expect inetd to > > set the gid and supplementary groups as well. Luckily inetd does > > actually do this. [...] > > I think the manual page is correct: > [ transcript omitted ] Ah, yes, I see - I missed the word `still'. Under the circumstances this behaviour seems like a mistake, even though it is documented. > As you can see the group of the (non root) user "tobias" is set to "nogroup" > and the supplementary groups of the user "tobias" are still there. Quite. Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1696: Info received (was Bug#1696: inetd manpage infelicity could cause alarm) In-Reply-To: References: Thank you for the additional information you have supplied regarding this problem report. It has been forwarded to the developers to accompany the original report. If you wish to continue to submit further information on your problem, please do the same thing again: send it to debian-bugs@pixar.com, ensuring that the Subject line starts with "Bug#1696" or "Re: Bug#1696" so that we can identify it as relating to the same problem. Please do not reply to the address at the top of this message, unless you wish to report a problem with the bug-tracking system. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: tobias@et-inf.fho-emden.de In-Reply-To: <9510201610.AA05795@server.et-inf.fho-emden.de> References: <9510201610.AA05795@server.et-inf.fho-emden.de> Subject: Bug#1696: marked as done (was: inetd manpage infelicity could cause alarm) Your message dated Fri, 20 Oct 1995 17:10:05 +0100 (MET) with message-id <9510201610.AA05795@server.et-inf.fho-emden.de> and subject line Bug#1696: inetd manpage infelicity could cause alarm has caused the attached bug report to be marked as done. It is your now responsibility to ensure that the bug report is dealt with. (NB: If you are a system administrator and have no idea what I'm talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Ian Jackson (maintainer, debian-bugs) Received: with rfc822 via encapsulated-mail; Tue, 17 Oct 1995 19:43:49 GMT From chiark.chu.cam.ac.uk!ian Tue Oct 17 12:42:13 1995 Return-Path: Received: from pixar.com by mongo.pixar.com with smtp (Smail3.1.28.1 #15) id m0t5Hts-00061yC; Tue, 17 Oct 95 12:42 PDT Received: from artemis.chu.cam.ac.uk by pixar.com with SMTP id AA20004 (5.67b/IDA-1.5 for debian-bugs-pipe@mongo.pixar.com); Tue, 17 Oct 1995 12:41:42 -0700 Received: from chiark.chu.cam.ac.uk by artemis.chu.cam.ac.uk with smtp (Smail3.1.29.1 #33) id m0t5Ivv-0007u9C; Tue, 17 Oct 95 20:48 GMT Received: by chiark.chu.cam.ac.uk id m0t5HtX-0002axC (Debian /\oo/\ Smail3.1.29.1 #29.33); Tue, 17 Oct 95 20:41 BST Message-Id: Date: Tue, 17 Oct 95 20:41 BST From: Ian Jackson To: Debian bugs submission address Subject: inetd manpage infelicity could cause alarm Package: netbase Version: 1.16-1 The inetd(8) manpage says: The user entry should contain the user name of the user as whom the serv- er should run. This allows for servers to be given less permission than root. An optional group name can be specified by appending a dot to the user name followed by the group name. This allows for servers to run with a different (primary) group id than specified in the password file. If a group is specified and user is not root, the supplementary groups associ- ated with that user will still be set. I'm not sure whether that should be `If no group is specified ...', but that behaviour would be a security hole if it were the case. People who write a userid in the inetd.conf rightly expect inetd to set the gid and supplementary groups as well. Luckily inetd does actually do this. I tried 1557 stream tcp nowait nobody /usr/sbin/tcpd /usr/bin/id and got -chiark:~> telnet localhost 1557 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. uid=65534(nobody) gid=65534(nogroup) groups=65534(nogroup) Connection closed by foreign host. -chiark:~> So, I think this is a documentation bug only. I haven't done any experiments with specifying a group in the inetd.conf. Ian. ----------------------------------------------------------------------- Message sent: From: iwj10@thor.cam.ac.uk (Ian Jackson) To: Ian Jackson Subject: Bug#1696 acknowledged by developer (was: inetd manpage infelicity could cause alarm) References: <9510201610.AA05795@server.et-inf.fho-emden.de> In-Reply-To: This is an automatic notification regarding your bug report. Responsibility for it has been taken by one of the developers, namely "Peter Tobias" (reply to tobias@et-inf.fho-emden.de). You should be hearing from them with a substantive response shortly, if you have not already done so. If not, please contact them directly, or email debian-bugs@pixar.com or myself. Ian Jackson (maintainer, debian-bugs) ----------------------------------------------------------------------- Ian Jackson / iwj10@thor.cam.ac.uk , with the debian-bugs tracking mechanism This page last modified 07:43:01 GMT Wed 01 Nov