Re: Bug#3189: nvi over-cautious about .exrc?

To: debian-devel@lists.debian.org
Subject: Re: Bug#3189: nvi over-cautious about .exrc?
From: Oliver Oberdorf <oly@head-cfa.harvard.edu>
Date: Tue, 04 Jun 1996 08:30:10 -0400
Message-id: <[🔎] 199606041232.IAA23963@head-cfa>
In-reply-to: Your message of "Mon, 03 Jun 1996 22:42:15 PDT." <[🔎] Pine.SUN.3.93.960603223823.17268B-100000@bb29c>

Bill Mitchell
> On Tue, 4 Jun 1996, Ian Jackson wrote:
>
> >It is not the business of programs to check the permissions of the
> >dotfiles in users' home directories.
>
> I agree.  I chased my tail for quite a while some time back because of
> what I recall as procmail's concern over the permissions on my .forward
> file.  It didn't complain, it just didn't work as I expected from reading
> the docs.

But for a large system with many users (of varying levels of clue) it
is very beneficial for the SysAdmin that a user can't accidentally create
a writeable .forward file.  With a large enough system, a hacker could
just look for a writeable .forward and, statistically, be fairly sure to
find one.

I think /some/ apps need to check permissions to prevent inevitable security 
holes from popping up.  Ideally, those permission requirements should be

1. minimal - i.e. "no write access for group/other on .forward"

and

2. well documented

This may not be important for nvi, though I think it is, but it is clear
to me that it *is* the business of some programs to check permissions.
Not all Debian users will be as smart as Debian installers/admins.

-Oly

Reply to:

References:
- Re: Bug#3189: nvi over-cautious about .exrc?
  - From: Bill Mitchell <mitchell@mdd.comm.mot.com>

Prev by Date: Bug#3211: xsysinfo has no documentation
Next by Date: Re: Can we have a /etc/debian in base?
Previous by thread: Re: Bug#3189: nvi over-cautious about .exrc?
Next by thread: Bug#3189: nvi over-cautious about .exrc?
Index(es):
- Date
- Thread