Bugtraq mailing list archives

default permissions for tin

From: cazz () RUFF CS JMU EDU (Brian)
Date: Wed, 17 Nov 1999 09:58:45 -0500


the default permissions for the tin (v 1.4.0) configuration directory allows
users to read passwords

[[cazz@ruff:~]$ ls -la |grep .tin
drwxr-xr-x   7 cazz     cazz         1024 Nov 17 09:03 .tin

[[cazz@ruff:~/.tin]$ ls -la .inputhistory 
-rw-rw-r--   1 cazz     cazz         8192 Nov 17 09:21 .inputhistory

if a user is using an authenticated news server, tin saves all
keystrokes typed into tin in the file ~/.tin/.inputhistory

simple solution, 

rm -f ~/.tin/.inputhistory
touch ~/.tin/.inputhistory
chmod 000 ~/.tin/.inputhistory

-cazz

<!-- attachment="bin0a21253" -->
<HR>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>

Current thread:

default permissions for tin Brian (Nov 17)