Hello, I just migrated from leafnode to inn + suck on my Debian Woody box. After installing suck I think I have discovered a possible security violation. /etc/suck/get-news.conf is installed as root:root with default file permissions 644. This means that $WORLD can read passwords from this file which are stored there to get access to the upstream newsserver. IIRC /usr/sbin/get-news has to be run as user "news" and not as "root" thus the script won't work if I change the permissions of get-news.conf to 600 or 640. Or am I completely wrong and get-news should be started as "root"? Anyway, 644 as default for files which store passwords is pretty weird in my opinion. Any comments concerning this are very welcome. Regards, Marcus -- Fickle minds, pretentious attitudes and ugly make-up on ugly faces... The Goth Goose Of The Week: http://www.gothgoose.net
Attachment:
pgprstrj9o4qo.pgp
Description: PGP signature