lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 5 Aug 2005 06:52:17 +0200 From: Lupe Christoph <lupe@...e-christoph.de> To: Stephen C Woods <scw@...s.ucla.edu> Cc: Imran Ghory <imranghory@...il.com>, bugtraq@...urityfocus.com Subject: Re: Zip 2,31 bad default file-permissions vulnerability On Thursday, 2005-08-04 at 15:17:35 -0700, Stephen C Woods wrote: > The problem is the zip uses a default mode of 666 (not knowing > anything about permissions by definition -it's a DOS program for Pete's > sake, you know single user file server). I still don't understand why this is a problem. If it were a problem, it would be one of humongous dimensions because it affects all programs that use open(..., 0666) to create non-executable files potentially containing sensitive contents. For example all editors. And all shells because any redirection could create such a file. If you work on confidential information, your umask should be 077. In a bank I worked for this was prescribed for the superuser account. Made for a lot of admin problems because root rarely creates files with confidential information, but frequently files that must be readable for anyone... Lupe Christoph -- | You know we're sitting on four million pounds of fuel, one nuclear | | weapon and a thing that has 270,000 moving parts built by the lowest | | bidder. Makes you feel good, doesn't it? | | Rockhound in "Armageddon", 1998, about the Space Shuttle |
Powered by blists - more mailing lists