Bug 11291

Summary: msec security warning for system user davfs2
Product: Mageia Reporter: Richard Gee <mageia>
Component: RPM PackagesAssignee: Mageia tools maintainers <mageiatools>
Status: REOPENED --- QA Contact:
Severity: normal    
Priority: Normal CC: andresalaun, marja11, remco, shlomif, vbeffers
Version: Cauldron   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: MGA5TOO
Source RPM: msec-0.80.10-13.mga3.src.rpm CVE:
Status comment:

Description Richard Gee 2013-09-26 12:21:30 CEST 
Description of problem:
Msec reports the following security warning:

Security Warning: these home directory should not be owned by someone else or writable :
user=davfs2(490) : home directory is group writable.

Version-Release number of selected component (if applicable):
msec: 0.80.10


How reproducible:
After msec has run, view detailed msec daily log (/var/log/security/mail.daily.today)

Steps to Reproduce:
1.
2.
3.


Reproducible: 

Steps to Reproduce:
Victor Beffers 2013-10-18 11:19:03 CEST

CC: (none) => vbeffers

Comment 1 Marja Van Waes 2015-03-31 16:02:39 CEST 
Mageia 3 changed to end-of-life (EOL) status 4 months ago.
http://blog.mageia.org/en/2014/11/26/lets-say-goodbye-to-mageia-3/ 

Mageia 3 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of Mageia
please feel free to click on "Version" change it against that version of Mageia
and reopen this bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

--
The Mageia Bugsquad

Status: NEW => RESOLVED
Resolution: (none) => OLD

Comment 2 Big YellowHats 2015-11-02 01:25:57 CET 
Fresh install from Mageia-5-LiveDVD-KDE4-x86_64-DVD.iso ...confusion persists.

msec version:  1.13-1.1.mga5

Status: RESOLVED => REOPENED
CC: (none) => inetcustomer-mageia
Component: RPM Packages => Security
Version: 3 => 5
Resolution: OLD => (none)

David Walser 2015-11-11 16:31:03 CET

Component: Security => RPM Packages

Comment 3 Remco Rijnders 2016-03-31 08:47:19 CEST 
@Big YellowHats, @Richard Gee, do either of you make active use of this package (davfs2) on your machine?

CC: (none) => remco

Comment 4 Big YellowHats 2016-03-31 10:32:49 CEST 
(In reply to Remco Rijnders from comment #3)
> @Big YellowHats, @Richard Gee, do either of you make active use of this
> package (davfs2) on your machine?

AFAIK it was a dependency only.  Currently that dependency no longer exists so I have removed the package.
Comment 5 Remco Rijnders 2016-03-31 11:41:14 CEST 
(In reply to Big YellowHats from comment #4)
> AFAIK it was a dependency only.  Currently that dependency no longer exists
> so I have removed the package.

Thanks! I think this can easily be fixed, but would like to have an active user of the package confirm it doesn't break anything.
Samuel Verschelde 2016-10-15 23:40:49 CEST

Assignee: bugsquad => mageiatools

Comment 6 Marja Van Waes 2016-10-20 22:25:28 CEST 
*** Bug 13953 has been marked as a duplicate of this bug. ***

CC: (none) => andresalaun

Comment 7 Marja Van Waes 2016-10-20 23:29:34 CEST 
@ shlomi

Since you're the registered maintainer of davfs2:

/run/mount.davfs2/ is indeed group writeable (I can't find anything else that could be the mentioned home directory). 

[root@cldrn_64 /]# ls -al /run/ | grep davfs2
drwxrwxr-t  2 root    davfs2    40 okt 20 14:33 mount.davfs2/
[root@cldrn_64 /]#

However, that's needed because you need to add yourself to the davfs2 group to get it to work. I do not know why root owns the directory.

<btw>
My webdav mountpoint is in my home directory, with me as owner + group. 
I do also use Dolphin to access a remote webdav share, but this warning already existed before I started using Dolphin for webdav access.
</btw>

Is it OK to change this report into a request to suppress that warning, or should first be tried whether having davfs *own* /run/mount.davfs2/ would already be enough to get rid of it?

If the latter, do you then mind assigning this report to yourself?

Cheers,
Marja

CC: (none) => marja11, shlomif
Version: 5 => Cauldron
Whiteboard: (none) => MGA5TOO

Big YellowHats 2016-10-21 03:41:12 CEST

CC: inetcustomer-mageia => (none)