Date: Tue, 30 Jun 2015 08:31:08 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com Subject: Re: Question about world readable config files and commented warnings On 06/30/2015 12:03 AM, gremlin@...mlin.ru wrote: > On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote: > > > So, if a config file is world readable by default, but the section > > where you might put a password says: > > # Database URI for the database that stores the package > > # information. If it contains a password, make sure to > > # adjust the permissions of the config > > Is that good enough, e.g. no CVE, or do we actually need to have > > proper permissions? > > For me, that means: the developers did their best, everything else > is up to package maintainers. > > And, obviously, when the administrators will fill in the connection > parameters, they most likely will see this warning. > > > I'm thinking we need proper permissions and not a note (especially > > with administration tools/etc that may parse/modify the file > > but not change the perms). > > My experience says that developers' attempts to perform chmod (or, > even worse, chown) during `make install` are just ugly (at least > they never check whether DESTDIR is empty). From a developer perspective I somewhat agree, however I'm looking at this from a vendor perspective where we do control the chmod, easily (RPM spec file). -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ