Please consider making the log file of aptitude root:adm with 0640 permissions, in accordance with the majority of other log files. Thanks,
Why? There's nothing confidential about the information in the log file; if you want to (eg) find out what vulnerable software is available on the system, the apt cache (which is also unprotected by default) is a much better place to look. I could be persuaded, but simply saying that most other log files are 0640 doesn't convince me. Most other log files are liable to contain privileged information about the operation of system daemons, mistyped usernames and passwords, information about when users log in and out, etc. aptitude's log file just gives a history of package installations/removals/upgrades. Daniel
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0120 +0100]: Let's ask it this way: why does aptitude need to be readable by the world? Sorry for being terse in the report. See debian-devel for a thread about log permissions standardisation. Debian tries to be secure but not too secure to limit usability. A good way to approach this is by starting with the lowest set of privileges and expanding only as you need them. This is the way firewalls are designed, and the way that security usually works. I cannot offer a better argument, I am afraid. To a hacker, any information is good information. On my systems, /var/lib/dpkg/status is 0640:root:staff for precisely this reason.
I saw the thread. At least a few of the files you mentioned have good reason to be 0644; I'd hate to have to switch to root whenever I report an X bug. So, have you filed a bug asking for dpkg and apt to switch their cache files to mode 0640 to close this security hole? I'll switch the permissions in the next upload, but that's not going to be for a while. I don't think this is serious enough to merit an immediate upload. Daniel
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0145 +0100]: I meant the new thread, in which Santiago is slamming me down. No, I might though. :) Note how I filed a wishlist bug. I did not even expect such a quick response. Cheers, and good night.
Daniel Burrows <dburrows@debian.org> wrote: Presently, the permissions of aptitude's log file are not different to those of apt or dpkg:
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0120 +0100]: I am of the opinion that not more information than necessary should be made available. On the other side of things is "convenience". In the case of this bug, since the maintainer(s) have reservations, I have no problem staying with the status quo. I would have liked it better the other way, but I can live…
For the record, making the apt and dpkg logs world readable was
requested in Launchpad bug #404724¹ and Debian bug #480556²,
respectively.
Cheers,
Sven
¹ https://bugs.launchpad.net/ubuntu/+source/apt/+bug/404724
² http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480556
Lieber Freund (Assalamu Alaikum), Ich bin vor einer privaten Suche auf Ihren E-Mail-Kontakt gestoßen Ihre Hilfe. Mein Name ist Aisha Al-Qaddafi, eine alleinerziehende Mutter und eine Witwe mit drei Kindern. Ich bin die einzige leibliche Tochter des Spätlibyschen Präsident (verstorbener Oberst Muammar Gaddafi). Ich habe Investmentfonds im Wert von siebenundzwanzig Millionen fünfhunderttausend United State Dollar ($ 27.500.000.00) und ich brauche eine vertrauenswürdige Investition Manager / Partner aufgrund meines aktuellen Flüchtlingsstatus bin ich jedoch Möglicherweise interessieren Sie sich für die Unterstützung von Investitionsprojekten in Ihrem Land Von dort aus können wir in naher Zukunft Geschäftsbeziehungen aufbauen. Ich bin bereit, mit Ihnen über das Verhältnis zwischen Investition und Unternehmensgewinn zu verhandeln Basis für die zukünftige Investition Gewinne zu erzielen. Wenn Sie bereit sind, dieses Projekt in meinem Namen zu bearbeiten, antworten Sie bitte dringend Damit ich Ihnen mehr Informationen über die Investmentfonds geben kann. Ihre dringende Antwort wird geschätzt. schreibe mir an diese email adresse ( aishagaddafi969@aol.com) zur weiteren Diskussion. Freundliche Grüße Frau Aisha Al-Qaddafi Antwort an: aishagaddafi969@aol.com
First Capital Bank.
7575 Poplar Avenue Garmantown, TN 38138,
United States of America.
Date: 15 th April, 2022.
From the desk of: Mr. Greg Wingo
Executive Vice President / Senior Lender,
First Capital Bank, Germantown TN - United States.
A t t n :,
This is to officially inform you that we have concluded as promised,
regarding your fund as instructed, in order to release your funds
immediately as already approved, well note that your funds have been
approved for immediate release via online, soon we hear from you we will
provide you with the online details for instant access.
As a matter of urgency, we urgently needs you to reconfirm the below
details while you attach scan copy of your identity for final
documentations which is the final stage of your fund transfer as your
online account details will be provided to you.
F u l l Name:
Address:
P h o n e:
Date of Birth:
Scan Copy of your valid I d e n t i t y:
Your f u l l Bank D e t a i l s:
Thank you for choosing to bank in your best interest while in
anticipation of your response, soon we hear from you, we will update you
with the next procedure since all the legal documentations have been
properly documented.
Yours in service,
Mr. Greg Wingo