Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 30 Jun 2015 08:31:08 -0600
From: Kurt Seifried <>
Subject: Re: Question about world readable config files and
 commented warnings

On 06/30/2015 12:03 AM, wrote:
> On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote:
>  > So, if a config file is world readable by default, but the section
>  > where you might put a password says:
>  > # Database URI for the database that stores the package
>  > # information. If it contains a password, make sure to
>  > # adjust the permissions of the config
>  > Is that good enough, e.g. no CVE, or do we actually need to have
>  > proper permissions?
> For me, that means: the developers did their best, everything else
> is up to package maintainers.
> And, obviously, when the administrators will fill in the connection
> parameters, they most likely will see this warning.
>  > I'm thinking we need proper permissions and not a note (especially
>  > with administration tools/etc that may parse/modify the file
>  > but not change the perms).
> My experience says that developers' attempts to perform chmod (or,
> even worse, chown) during `make install` are just ugly (at least
> they never check whether DESTDIR is empty).

From a developer perspective I somewhat agree, however I'm looking at
this from a vendor perspective where we do control the chmod, easily
(RPM spec file).

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ