desktopcouch

/etc/couchdb and /var/log/couchdb owned by couchdb:couchdb

Bug #731272 reported by Vasily Kulikov on 2011-03-08

260

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	desktopcouch	Invalid	Undecided	Unassigned
	couchdb (Ubuntu)	Fix Released	Undecided	Chad Miller

Bug Description

The ownership of these files introduces security risk (from couchdb*.postinst):

        chown -R couchdb:couchdb /etc/couchdb
        chmod 0775 /etc/couchdb
        chmod 0664 /etc/couchdb/default.ini
        chmod 0664 /etc/couchdb/local.ini

        mkdir -p /var/lib/couchdb/"${VERSION}"
        mkdir -p /var/log/couchdb
        chown -R couchdb:couchdb /var/lib/couchdb
        chown -R couchdb:couchdb /var/log/couchdb
        chmod 0770 /var/lib/couchdb /var/lib/couchdb/"${VERSION}"
        chmod 0770 /var/log/couchdb

The worst scenario: If couchdb user creates hardlink to root owned file/device in one of these directories and couchdb package is reinstalled then hardlink would be writable by couchdb user, leading to privilege escalation.

Reference: http://www.openwall.com/lists/oss-security/2011/03/06/5

Related branches

lp:ubuntu/quantal/couchdb

Revision history for this message

Chad Miller (cmiller) wrote on 2011-03-08:

This isn't a bug in desktopcouch, as far as I can tell.

Changed in desktopcouch:
status:	New → Invalid

Chad Miller (cmiller) on 2011-03-08

Changed in couchdb (Ubuntu):
assignee:	nobody → Chad Miller (cmiller)
visibility:	private → public

Jamie Strandboge (jdstrand) on 2011-08-26

Changed in couchdb (Ubuntu):
status:	New → Triaged

Revision history for this message

Launchpad Janitor (janitor) wrote on 2012-07-31:

This bug was fixed in the package couchdb - 1.2.0-2ubuntu1

---------------
couchdb (1.2.0-2ubuntu1) quantal; urgency=low

  * Merge from Debian unstable (LP: #1022515, LP: #817656):
    - fixes ownership of /etc/couchdb. LP: #731272.
  * Remaining changes:
    - Use pkg-config instead of the js-config script shipped by libmozjs
    - debian/rules, debian/control: split couchdb and couchdb-bin
    - debian/postinst: renamed to couchdb-bin.postinst
    - debian/couchdb-bin.postrm: don't try to delete couchdb system
      user/group
  * Dropped changes, superseded upstream:
    - Backport svn r1039345 from 1.0.3
    - debian/patches/couchio-*: patchset from CouchIO to fix U1 replication
      over SSL. It's not clear if these were upstreamed, but most of the
      source files they applied to no longer exist at all upstream, so if
      these are still needed they will need to be redone.
    - debian/patches/fix-help2man.patch: dropped, no longer needed
    - debian/patches/jquery15-fix.patch: Make Futon work with jQuery 1.5
    - debian/patches/moz*.patch: Spidermonkey 1.8.54 patchset
  * Dropped changes, included in Debian:
    - debian/control - bump standards version
    - debian/control - fix lintian error not-binnmuable-all-depends-any
    - Build against a proper libmozjs
    - Update build-depends/depends/build config (we no longer need the
      --with-js build flags)
  * Dropped changes, superseded in Debian:
    - source/format - mark package as 1.0 format
    - change the default permissions on /etc/couchdb to 0775 and files to
      0664

  [ Jason Gerard DeRose ]
  * /etc/couchdb/default.ini and /etc/couchdb/default.d are delivered in the
    `couchdb-bin` package and are owned by root
  * /etc/couchdb/local.ini and /etc/couchdb/local.d are delivered in the
  * The `couchdb-bin` package does not create nor require the "couchdb" user
    (this is now done in the `couchdb` package instead). LP: #1007125.
  * Added a short sleep delay in couchdb.postrm so couchdb is more likely to
    have actually terminated by the time we `deluser couchdb`, which is needed
    for `sudo apt-get purge couchdb` to work when couchdb is running
-- Steve Langasek <email address hidden> Tue, 31 Jul 2012 02:04:48 +0000

This bug was fixed in the package couchdb - 1.2.0-2ubuntu1

---------------
couchdb (1.2.0-2ubuntu1) quantal; urgency=low

* Merge from Debian unstable (LP: #1022515, LP: #817656):
    - fixes ownership of /etc/couchdb.  LP: #731272.
  * Remaining changes:
    - Use pkg-config instead of the js-config script shipped by libmozjs
    - debian/rules, debian/control: split couchdb and couchdb-bin
    - debian/postinst: renamed to couchdb-bin.postinst
    - debian/couchdb-bin.postrm: don't try to delete couchdb system
      user/group
  * Dropped changes, superseded upstream:
    - Backport svn r1039345 from 1.0.3
    - debian/patches/couchio-*: patchset from CouchIO to fix U1 replication
      over SSL.  It's not clear if these were upstreamed, but most of the
      source files they applied to no longer exist at all upstream, so if
      these are still needed they will need to be redone.
    - debian/patches/fix-help2man.patch: dropped, no longer needed
    - debian/patches/jquery15-fix.patch: Make Futon work with jQuery 1.5
    - debian/patches/moz*.patch: Spidermonkey 1.8.54 patchset
  * Dropped changes, included in Debian:
    - debian/control - bump standards version
    - debian/control - fix lintian error not-binnmuable-all-depends-any
    - Build against a proper libmozjs
    - Update build-depends/depends/build config (we no longer need the
      --with-js build flags)
  * Dropped changes, superseded in Debian:
    - source/format - mark package as 1.0 format
    - change the default permissions on /etc/couchdb to 0775 and files to
      0664

[ Jason Gerard DeRose ]
  * /etc/couchdb/default.ini and /etc/couchdb/default.d are delivered in the
    `couchdb-bin` package and are owned by root
  * /etc/couchdb/local.ini and /etc/couchdb/local.d are delivered in the
  * The `couchdb-bin` package does not create nor require the "couchdb" user
    (this is now done in the `couchdb` package instead).  LP: #1007125.
  * Added a short sleep delay in couchdb.postrm so couchdb is more likely to
    have actually terminated by the time we `deluser couchdb`, which is needed
    for `sudo apt-get purge couchdb` to work when couchdb is running
 -- Steve Langasek <steve.langasek@ubuntu.com>   Tue, 31 Jul 2012 02:04:48 +0000

Changed in couchdb (Ubuntu):
status:	Triaged → Fix Released

Report a bug

This report contains Public Security information

Everyone can see this security related information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.