Bug 9981

Summary: /var/lib/rpm is being set mode 755 which appears to be a security issue
Product: Mageia Reporter: George Mitchell <george>
Component: RPM PackagesAssignee: Thierry Vignaud <thierry.vignaud>
Status: RESOLVED INVALID QA Contact:
Severity: normal    
Priority: Normal Keywords: Triaged
Version: Cauldron   
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: rpm-4.11.0.1-1.mga3.src.rpm CVE:
Status comment:

Description George Mitchell 2013-05-04 18:18:05 CEST 
Description of problem:

/var/lib/rpm mode is set to 755.  According to Red Hat's sectool, this is a security issue since it leaves the package databases insecure.  Securing this directory screws up the mgaapplet perl script.  This REALLY needs to be looked at. I know there is likely no easy resolution to this issue.  But it looks like a serious security issue to me and something needs to be done to address it.

 
Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.


Reproducible: 

Steps to Reproduce:
Comment 1 George Mitchell 2013-05-04 19:10:35 CEST 
Actually, there appears to be an easy solution.  Set /var/lib/rpm to 750.  Add rpm group to user's group permissions.  That should resolve this.
Manuel Hiebel 2013-05-05 12:12:15 CEST

Keywords: (none) => Triaged
Version: 3 => Cauldron
Assignee: bugsquad => thierry.vignaud

Comment 2 David Walser 2013-05-05 16:40:30 CEST 
This is already handled by msec.  In the secure level the rpm stuff is only readable by the rpm group.  In the standard level, all the 755/644 means is that regular users can query the package database.

Status: NEW => RESOLVED
Resolution: (none) => INVALID