[Bug 277470] Security Vulnerability: etcupdate incorrectly sets permissions for /var/db/etcupdate/conflicts/etc/master.passwd

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277470

            Bug ID: 277470
           Summary: Security Vulnerability: etcupdate incorrectly sets
                    permissions for
                    /var/db/etcupdate/conflicts/etc/master.passwd
           Product: Base System
           Version: 13.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: misc
          Assignee: bugs@FreeBSD.org
          Reporter: chris@cretaforce.gr

I've encountered an issue while upgrading systems from 13.2 to 13.3.

Upon executing the upgrade process using the following commands:

cd /usr/src
make buildworld
make buildkernel
make installkernel
etcupdate -p
make installworld
etcupdate

I noticed that during the final step (etcupdate), conflicts were detected in
the files /etc/master.passwd and /etc/group. Consequently, I utilized
`etcupdate resolve` to rectify these conflicts.

Before resolving the conflicts, I checked the file
/var/db/etcupdate/conflicts/master.passwd and found that it had insecure
permissions:

ls -la /var/db/etcupdate/conflicts/etc/master.passwd
-rw-r--r-- 1 root wheel 5690 Feb 28 00:05
/var/db/etcupdate/conflicts/etc/master.passwd

The file master.passwd contains encrypted root and user passwords, thereby
presenting a significant security risk due to its unrestricted read access.

Your attention to this matter would be greatly appreciated, and I remain
available to provide any additional information or assistance required for
troubleshooting.

-- 
You are receiving this mail because:
You are the assignee for the bug.