[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RC Security Flaw - mkdir & script create as 755, 644. SB &700, yes?

[I thought debian-devel would be the best place to send this.  If there's a
more appropriate place, please let me know.]

Last weekend I did a base Woody install, then upgraded to Sid.  
At some point in that process, as root, in /root, I did
mkdir dir
cd dir
script

The directory "dir" had permissions 755.
The script file had permissions 644.

I think, from a security standpoint, from a fresh install, it would be
appropriate to have the default permissions be at most 700 (ie, no bits on in
the group & world fields).  Especially because Debian is about to do a major
new release, and for this release GUIs are much more advanced, and Debian will
probably grow to acquire many more users less skilled in sysadminning than in
the past.  (Thus, slightly "safer" settings might be appropriate.)

[I know this isn't RC like it "makes unrelated software on the system (or the
whole system) break, or causes serious data loss", but it does, IMO,
"introduces a security hole" of a sort.]

Thoughts?  And, if fixing this is a good idea, what's the "official" way to get
this accomplished?  Does a bug need to be filed against some package?  Which? 
(I'm in no position to know the answers to those questions.)

I'll read the mailing list archive.  Please cc me if you want a reply, or if
you so desire.

TIA


__________________________________________________
Do You Yahoo!?
Yahoo! Sports - Coverage of the 2002 Olympic Games
http://sports.yahoo.com
Reply to: