certtools / intelmq

intelmqsetup tries to fix ownership of related directories:

Lines 172 to 176 in 7674949

    
           if ownership: 
        
               print('Setting intelmq as owner for it\'s directories.') 
        
               for obj in (CONFIG_DIR, DEFAULT_LOGGING_PATH, ROOT_DIR, VAR_RUN_PATH, 
        
                           VAR_STATE_PATH, FILE_OUTPUT_PATH, Path(STATE_FILE_PATH).parent): 
        
                   change_owner(obj, owner='intelmq')

However, the ROOT_DIR can be set to /:

intelmq/intelmq/__init__.py

Lines 18 to 20 in 7674949

    
           if path == "lsb": 
        
               ROOT_DIR = os.getenv("ROOT_DIR", "/") 
        
               CONFIG_DIR = os.path.join(ROOT_DIR, "etc/intelmq/")

This causes intelmqsetup to take over the ownership of the root directory, what could open some security risk as well as break some system actions (e.g. systemd-tmpfiles)

It should be noted that path == "lsb" is only true if the user explicitly sets INTELMQ_PATHS_NO_OPT, and only in installations from git/PyPI. Installations from packages are not affected, the affected code is not present there.

	if ownership:
	print('Setting intelmq as owner for it\'s directories.')
	for obj in (CONFIG_DIR, DEFAULT_LOGGING_PATH, ROOT_DIR, VAR_RUN_PATH,
	VAR_STATE_PATH, FILE_OUTPUT_PATH, Path(STATE_FILE_PATH).parent):
	change_owner(obj, owner='intelmq')

	if path == "lsb":
	ROOT_DIR = os.getenv("ROOT_DIR", "/")
	CONFIG_DIR = os.path.join(ROOT_DIR, "etc/intelmq/")

intelmqsetup changes the root directory ownership