lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20050805045217.GA19422@lupe-christoph.de>
Date: Fri, 5 Aug 2005 06:52:17 +0200
From: Lupe Christoph <lupe@...e-christoph.de>
To: Stephen C Woods <scw@...s.ucla.edu>
Cc: Imran Ghory <imranghory@...il.com>, bugtraq@...urityfocus.com
Subject: Re: Zip 2,31 bad default file-permissions vulnerability


On Thursday, 2005-08-04 at 15:17:35 -0700, Stephen C Woods wrote:

>   The problem is the zip uses a default mode of 666 (not knowing
> anything about permissions by definition -it's a DOS program for Pete's
> sake, you know single user file server).

I still don't understand why this is a problem. If it were a problem, it
would be one of humongous dimensions because it affects all programs
that use open(..., 0666) to create non-executable files potentially
containing sensitive contents. For example all editors. And all shells
because any redirection could create such a file.

If you work on confidential information, your umask should be 077. In a
bank I worked for this was prescribed for the superuser account. Made
for a lot of admin problems because root rarely creates files with
confidential information, but frequently files that must be readable
for anyone...

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ