oss-sec mailing list archives
Re: Question about world readable config files and commented warnings
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 30 Jun 2015 14:59:17 -0700
On Tue, Jun 30, 2015 at 11:30:06PM +0200, vladz wrote:
We all know that a better way to create the file would be to set the adequate umask first. But the above steps can be found in initialization and installation scripts (I can share a non-exhaustive list if wished). I
Probably we should get CVEs assigned for these, that's the best way to make sure they're not overlooked.
also wouldn't recommend the use of "-m 600" in the "install" command as it has the same problem: # touch f1 # strace install -m 600 f1 f2 [...] open("f2", O_WRONLY|O_CREAT|O_EXCL, 0644) = 4 // here f2 is readable chmod("f2", 0600) = 0
The three-argument open() has been available for absolute ages: https://www.freebsd.org/cgi/man.cgi?query=open&apropos=0&sektion=2&manpath=FreeBSD+1.0-RELEASE&arch=default&format=html I'm surprised install hasn't been updated at some point in the last twenty years to use the mode correctly. It's probably also CVE-worthy. Thanks
Attachment:
signature.asc
Description: Digital signature
Current thread:
- Question about world readable config files and commented warnings Kurt Seifried (Jun 29)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings vladz (Jun 30)
- Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)