[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-devel:12611] Re: (draft) [SECURITY] New version of canna released

From: ISHIKAWA Mutsumi <ishikawa@xxxxxxxxxxx>
Subject: [debian-devel:12611] Re: (draft) [SECURITY] New version of canna released
Date: Wed, 5 Jul 2000 00:50:51 +0900
Organization: ad-hoc.org
X-dispatcher: imput version 20000228(IM140)
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-devel-ctl@debian.or.jp; help=<mailto:debian-devel-ctl@debian.or.jp?body=help>
X-ml-name: debian-devel
X-mlserver: fml [fml 3.0pl#17]; post only (only members can post)
References: <200005100400.NAA25791@xxxxxxxxxxxxx> <200007010404.NAA02250@xxxxxxxxxxxxxxxxxx> <887lb3l4d8.wl@xxxxxxxxxxxxxxx> <20000703230012F.ishikawa@xxxxxxxxxxx> <87ituns117.wl@xxxxxxxxxxxxxxx>
Message-id: <20000705005049D.ishikawa@xxxxxxxxxxx>
X-mail-count: 12611
User-agent: Wanderlust/1.1.1 (Purple Rain) EMY/1.13.6 (Life is balance) FLIM/1.13.2 (Kasanui) APEL/10.2 Emacs/20.7 (i386-debian-linux-gnu) MULE/4.1 (AOI)

むつみです。

>>>>> In [debian-devel : No.12601] 
>>>>>	Fumitoshi UKAI <ukai@debian.or.jp> wrote:
>> At Mon, 3 Jul 2000 23:00:15 +0900,
>> ISHIKAWA Mutsumi <ishikawa@xxxxxxxxxxx> wrote:

>> >  3) セキュリティ的には cannaserver を動かす専用 UID があった方が望まし
>> >     いはずだが、現在の policy では各 パッケージが勝手に /etc/passwd と
>> >     かにユーザを追加したりしてはいけない。base-files パッケージの
>> >     メンテナに依頼が必要(でもって、そのメンテナが反応遅いんだこれ
>> >     が。。。)。どう考えても時間がかかる。
>>
>> Debian Policy Manual 3.2. Users and groups
>>
>>      100-999:
>>           Dynamically allocated system users and groups.  Packages which
>>           need a user or group, but can have this user or group allocated
>>           dynamically and differently on each system, should use ``adduser
>>           --system'' to create the group and/or user.  `adduser' will check
>>           for the existence of the user or group, and if necessary choose
>>           an unused id based on the ranged specified in `adduser.conf'.
>>
>> ですから やりようによっては postinst で
>>
>> 	adduser --system canna
>>
>> じゃないすかね?

 ふむ。まぁ やりようによっちゃ これで行けるっすね。
 ただ、

>> # chown -R canna /var/lib/canna/dic/canna がいる?

 これは 必要かな。あと /var/log/canna もかな。

>> もしくは Canna の default の bin.bin を使うとか

 うーんと、それだとセキュリティホールが発見されて、なんか cannaserver
の権限で write() とかできちゃうようだと 他の bin.bin でアクセスできる
ファイルとかに 悪さできちゃう ので ナニ っすよね。

 まぁ root.root よりは ぜんぜん 影響小さいですけど。

 って言い出すと、daemon の類いは可能なら、それ独自の UID を持たせて
動かした方がいいってことになるかな。

-- 
いしかわ むつみ <ishikawa@xxxxxxxxxxx>

References:
- [debian-devel:12572] (draft) [SECURITY] New version of canna released
  - From: NOKUBI Takatsugu
- [debian-devel:12597] Re: (draft) [SECURITY] New version of canna released
  - From: Hiroshi KISE
- [debian-devel:12598] Re: (draft) [SECURITY] New version of canna released
  - From: ISHIKAWA Mutsumi
- [debian-devel:12601] Re: (draft) [SECURITY] New version of canna released
  - From: Fumitoshi UKAI

Prev by Date: [debian-devel:12610] Unanswered problem reports by maintainer and package
Next by Date: [debian-devel:12612] Re: EMACS (Re: update potato and problems...)
Previous by thread: [debian-devel:12601] Re: (draft) [SECURITY] New version of canna released
Next by thread: [debian-devel:12575] Re: ltmodem-installer ( Re: mknod )
Index(es):
- Date
- Thread