----- Forwarded message from Mario Lorenz <ml@vdazone.org> -----
Date: Fri, 9 Oct 1998 08:23:19 +0200
From: Mario Lorenz <ml@vdazone.org>
To: gnupg-bugs@gnu.org
Subject: (Unix)-Security-Problem on gpg-0.4.1
Hello,
I seem to have a little problem with gpg-0.4.1.
Reading the announcement on freshmeat, I downloaded it and built
it using the gnupg-0.4.1.spec from the scripts directory.
I run Linux-2.1.124, on a RH5.1 system, all current patches applied.
After installing the produced RPM, gpg is is installed setuid/setgid root, and
gpg doesnt seem to drop root group privileges. This means that all files it
creates (keys I created, files I signed) are owned by group 0 (root/wheel)
which is not the way it should be, IMHO.
Removing the setgid bit fixes the problem.
Hence your SPEC's should NOT "chmod +s gpg", but rather "chmod u+s gpg"
Since your policy (as per your documentation) is not to install any setuid
bits by default, I recommend removing the chmod altogether.
Please note that I am not on any gpg mailing list, if you have further
questions/comments, please cc: me.
Mario
--
Mario Lorenz Internet: <ml@vdazone.org>
Ham Radio: DL5MLO@OK0PKL.#BOH.CZE.EU
"I hear that if you play the NT 4.0 CD backwards, you get a Satanic message!"
"That's nothing. If you play it forward, it installs NT 4.0!"
----- End forwarded message -----
--
Koch Softwaresysteme / "The GNU Privacy Guard" is an OpenPGP system:
Remscheider Str. 22 / http://www.d.shuttle.de/isil/gnupg/gnupg.html
D-40215 Düsseldorf /
Germany / Fingerprint for <werner.koch@guug.de>:
+49 211 3180023 / ecaf 7590 eb34 43b5 c7cf 3acb 6c7e e1b8 621c c013
Date: Fri, 9 Oct 1998 08:23:19 +0200
From: Mario Lorenz <ml@vdazone.org>
To: gnupg-bugs@gnu.org
Subject: (Unix)-Security-Problem on gpg-0.4.1
Hello,
I seem to have a little problem with gpg-0.4.1.
Reading the announcement on freshmeat, I downloaded it and built
it using the gnupg-0.4.1.spec from the scripts directory.
I run Linux-2.1.124, on a RH5.1 system, all current patches applied.
After installing the produced RPM, gpg is is installed setuid/setgid root, and
gpg doesnt seem to drop root group privileges. This means that all files it
creates (keys I created, files I signed) are owned by group 0 (root/wheel)
which is not the way it should be, IMHO.
Removing the setgid bit fixes the problem.
Hence your SPEC's should NOT "chmod +s gpg", but rather "chmod u+s gpg"
Since your policy (as per your documentation) is not to install any setuid
bits by default, I recommend removing the chmod altogether.
Please note that I am not on any gpg mailing list, if you have further
questions/comments, please cc: me.
Mario
--
Mario Lorenz Internet: <ml@vdazone.org>
Ham Radio: DL5MLO@OK0PKL.#BOH.CZE.EU
"I hear that if you play the NT 4.0 CD backwards, you get a Satanic message!"
"That's nothing. If you play it forward, it installs NT 4.0!"
----- End forwarded message -----
--
Koch Softwaresysteme / "The GNU Privacy Guard" is an OpenPGP system:
Remscheider Str. 22 / http://www.d.shuttle.de/isil/gnupg/gnupg.html
D-40215 Düsseldorf /
Germany / Fingerprint for <werner.koch@guug.de>:
+49 211 3180023 / ecaf 7590 eb34 43b5 c7cf 3acb 6c7e e1b8 621c c013