Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2015 08:31:08 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Question about world readable config files and
 commented warnings

On 06/30/2015 12:03 AM, gremlin@...mlin.ru wrote:
> On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote:
> 
>  > So, if a config file is world readable by default, but the section
>  > where you might put a password says:
>  > # Database URI for the database that stores the package
>  > # information. If it contains a password, make sure to
>  > # adjust the permissions of the config
>  > Is that good enough, e.g. no CVE, or do we actually need to have
>  > proper permissions?
> 
> For me, that means: the developers did their best, everything else
> is up to package maintainers.
> 
> And, obviously, when the administrators will fill in the connection
> parameters, they most likely will see this warning.
> 
>  > I'm thinking we need proper permissions and not a note (especially
>  > with administration tools/etc that may parse/modify the file
>  > but not change the perms).
> 
> My experience says that developers' attempts to perform chmod (or,
> even worse, chown) during `make install` are just ugly (at least
> they never check whether DESTDIR is empty).

From a developer perspective I somewhat agree, however I'm looking at
this from a vendor perspective where we do control the chmod, easily
(RPM spec file).


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ