Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 29 Jun 2015 23:11:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: Assign a CVE Identifier <cve-assign@...re.org>,
        oss-security@...ts.openwall.com
Subject: Question about world readable config files and commented warnings

So, if a config file is world readable by default, but the section where
you might put a password says:

########
# Database URI for the database that stores the package information. If it
# contains a password, make sure to adjust the permissions of the config
########

Is that good enough, e.g. no CVE, or do we actually need to have proper
permissions?

I'm thinking we need proper permissions and not a note (especially with
administration tools/etc that may parse/modify the file but not change
the perms). Thoughts/comments/final decision from Mitre is welcome.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com


Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ