Date: Mon, 29 Jun 2015 23:11:08 -0600 From: Kurt Seifried <kseifried@...hat.com> To: Assign a CVE Identifier <cve-assign@...re.org>, oss-security@...ts.openwall.com Subject: Question about world readable config files and commented warnings So, if a config file is world readable by default, but the section where you might put a password says: ######## # Database URI for the database that stores the package information. If it # contains a password, make sure to adjust the permissions of the config ######## Is that good enough, e.g. no CVE, or do we actually need to have proper permissions? I'm thinking we need proper permissions and not a note (especially with administration tools/etc that may parse/modify the file but not change the perms). Thoughts/comments/final decision from Mitre is welcome. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ