oss-sec mailing list archives
Re: Question about world readable config files and commented warnings
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Jun 2015 08:31:08 -0600
On 06/30/2015 12:03 AM, gremlin () gremlin ru wrote:
On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote: > So, if a config file is world readable by default, but the section > where you might put a password says: > # Database URI for the database that stores the package > # information. If it contains a password, make sure to > # adjust the permissions of the config > Is that good enough, e.g. no CVE, or do we actually need to have > proper permissions? For me, that means: the developers did their best, everything else is up to package maintainers. And, obviously, when the administrators will fill in the connection parameters, they most likely will see this warning. > I'm thinking we need proper permissions and not a note (especially > with administration tools/etc that may parse/modify the file > but not change the perms). My experience says that developers' attempts to perform chmod (or, even worse, chown) during `make install` are just ugly (at least they never check whether DESTDIR is empty).
From a developer perspective I somewhat agree, however I'm looking at this from a vendor perspective where we do control the chmod, easily (RPM spec file). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Question about world readable config files and commented warnings Kurt Seifried (Jun 29)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings vladz (Jun 30)
- Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)