#285551 aptitude: permissions of log file should be 0640

Package:
aptitude
Source:
aptitude
Description:
terminal-based package manager
Submitter:
martin f krafft
Date:
2022-04-17 03:45:03 UTC
Severity:
wishlist
Tags:
#285551#3
Date:
2004-12-13 23:58:47 UTC
From:
To:
Please consider making the log file of aptitude root:adm with 0640
permissions, in accordance with the majority of other log files.

Thanks,

#285551#8
Date:
2004-12-14 00:20:44 UTC
From:
To:
  Why?  There's nothing confidential about the information in the log file; if
you want to (eg) find out what vulnerable software is available on the
system, the apt cache (which is also unprotected by default) is a much better
place to look.

  I could be persuaded, but simply saying that most other log files are 0640
doesn't convince me.  Most other log files are liable to contain privileged
information about the operation of system daemons, mistyped usernames and
passwords, information about when users log in and out, etc.  aptitude's log
file just gives a history of package installations/removals/upgrades.

  Daniel

#285551#11
Date:
2004-12-14 00:35:39 UTC
From:
To:
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0120 +0100]:

Let's ask it this way: why does aptitude need to be readable by the
world?

Sorry for being terse in the report. See debian-devel for a thread
about log permissions standardisation.

Debian tries to be secure but not too secure to limit usability.
A good way to approach this is by starting with the lowest set of
privileges and expanding only as you need them. This is the way
firewalls are designed, and the way that security usually works.

I cannot offer a better argument, I am afraid.

To a hacker, any information is good information. On my systems,
/var/lib/dpkg/status is 0640:root:staff for precisely this reason.

#285551#16
Date:
2004-12-14 00:45:15 UTC
From:
To:
  I saw the thread.  At least a few of the files you mentioned have good
reason to be 0644; I'd hate to have to switch to root whenever I report an X
bug.

  So, have you filed a bug asking for dpkg and apt to switch their cache files
to mode 0640 to close this security hole?

  I'll switch the permissions in the next upload, but that's not going to be
for a while.  I don't think this is serious enough to merit an immediate
upload.

  Daniel

#285551#19
Date:
2004-12-14 01:02:42 UTC
From:
To:
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0145 +0100]:

I meant the new thread, in which Santiago is slamming me down.

No, I might though. :)

Note how I filed a wishlist bug. I did not even expect such a quick
response.

Cheers, and good night.

#285551#24
Date:
2011-12-09 03:53:22 UTC
From:
To:
Daniel Burrows <dburrows@debian.org> wrote:

Presently, the permissions of aptitude's log file are not different to
those of apt or dpkg:

#285551#29
Date:
2011-12-09 07:35:18 UTC
From:
To:
also sprach Daniel Burrows <dburrows@debian.org> [2004.12.14.0120 +0100]:

I am of the opinion that not more information than necessary should
be made available. On the other side of things is "convenience".

In the case of this bug, since the maintainer(s) have reservations,
I have no problem staying with the status quo. I would have liked it
better the other way, but I can live…

#285551#34
Date:
2011-12-09 08:26:51 UTC
From:
To:
For the record, making the apt and dpkg logs world readable was
requested in Launchpad bug #404724¹ and Debian bug #480556²,
respectively.

Cheers,
       Sven

¹ https://bugs.launchpad.net/ubuntu/+source/apt/+bug/404724
² http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=480556

#285551#43
Date:
2020-01-28 03:36:15 UTC
From:
To:
Lieber Freund (Assalamu Alaikum),

Ich bin vor einer privaten Suche auf Ihren E-Mail-Kontakt gestoßen
Ihre Hilfe. Mein Name ist Aisha Al-Qaddafi, eine alleinerziehende
Mutter und eine Witwe
mit drei Kindern. Ich bin die einzige leibliche Tochter des Spätlibyschen
Präsident (verstorbener Oberst Muammar Gaddafi).

Ich habe Investmentfonds im Wert von siebenundzwanzig Millionen
fünfhunderttausend
United State Dollar ($ 27.500.000.00) und ich brauche eine
vertrauenswürdige Investition
Manager / Partner aufgrund meines aktuellen Flüchtlingsstatus bin ich jedoch
Möglicherweise interessieren Sie sich für die Unterstützung von
Investitionsprojekten in Ihrem Land
Von dort aus können wir in naher Zukunft Geschäftsbeziehungen aufbauen.

Ich bin bereit, mit Ihnen über das Verhältnis zwischen Investition und
Unternehmensgewinn zu verhandeln
Basis für die zukünftige Investition Gewinne zu erzielen.

Wenn Sie bereit sind, dieses Projekt in meinem Namen zu bearbeiten,
antworten Sie bitte dringend
Damit ich Ihnen mehr Informationen über die Investmentfonds geben kann.

Ihre dringende Antwort wird geschätzt. schreibe mir an diese email adresse (
aishagaddafi969@aol.com) zur weiteren Diskussion.

Freundliche Grüße
Frau Aisha Al-Qaddafi
Antwort an: aishagaddafi969@aol.com

#285551#48
Date:
2022-04-17 03:35:13 UTC
From:
To:
First Capital Bank.
7575 Poplar Avenue Garmantown, TN 38138,
United States of America.


Date: 15 th April, 2022.

From the desk of: Mr. Greg Wingo
                  Executive Vice President / Senior Lender,
                  First Capital Bank, Germantown TN - United States.

A t t n :,

This is to officially inform you that we have concluded as promised,
regarding your fund as instructed, in order to release your funds
immediately as already approved, well note that your funds have been
approved for immediate release via online, soon we hear from you we will
provide you with the online details for instant access.

As a matter of urgency, we urgently needs you to reconfirm the below
details while you attach scan copy of your identity for final
documentations which is the final stage of your fund transfer as your
online account details will be provided to you.

F u l l Name:
Address:
P h o n e:
Date of Birth:
Scan Copy of your valid I d e n t i t y:
Your f u l l Bank D e t a i l s:

Thank you for choosing to bank in your best interest while in
anticipation of your response, soon we hear from you, we will update you
with the next procedure since all the legal documentations have been
properly documented.

Yours in service,

Mr. Greg Wingo