lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <DA6FEB95-A0D1-4867-844E-8D3E94E73364@svsnet.nl>
Date: Fri, 13 Nov 2020 10:38:54 +0100
From: Pim van Stam <pim@...net.nl>
To: Georgi Guninski <gguninski@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Scope of Debian's /home/loser is with permissions 755,
 default umask 002



> On 12 Nov 2020, at 12:26, Georgi Guninski <gguninski@...il.com> wrote:
> 
> On Debian /home/loser is with permissions 755, default umask 0022
> 
> (If you don't understand the numbers, this means a lot of
> files are world readable).
> 
> On multiuser machines this sucks much.
> 
> Question: How much sensitive data can be read on default install?

Nothing or everything, depends on how you see it.
On default install there is only 1 active user, which is the person installing the system.
This person can see everything (is part of sudo group). The rest of the world can see nothing.

Then, and that is important, the person installing must know how to secure.
If you want to have multiple normal users and services, like web- and mailservices, you have to take extra care on securing the system.

Things like setting the rights, acl’s, sticky bits, etc are topics for linux beginners training!
Do take time to secure a system (any system).


> 
> Partial results:
> 
> 1. mutt (text email client) exposes ~/.mutt/muttrc,
> which might contain the imap password in plaintext.

should be 0700 / 0600

> 
> 2. Some time ago on a multiuser debian mirror we found a lot of data,
> including the wordpress password of the admin.

Too many times a see the www directory structure as 777, 775 or 755, where 700 or 750 is also working.

> 
> 3. Anything created by EDITOR NEWFILE is readable, unless the directory
> prevents. This include root doing EDITOR /etc/NEWFILE

So ?

> Debian said won't fix:
> https://www.openwall.com/lists/oss-security/2020/10/07/4

For most systems that’s ok, when having aware users (with clue)
For systems with unaware (clueless) people you have to do more system management. But that’s a general thing in my opinion.

Best regards,

Pim van Stam

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ