Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

To: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>
Cc: kpcyrd@rxv.cc, gcs@debian.org, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
From: Chris Lamb <lamby@debian.org>
Date: Mon, 01 Aug 2016 05:53:47 +0200
Message-id: <[🔎] 1470023627.982933.682182961.5886488C@webmail.messagingengine.com>
In-reply-to: <CABY6=0=eDKzBhT8tZ7_U9XWwE_P9AE8YJwk-F_HMCwGWwte+rw@mail.gmail.com>
References: <CABY6=0=eDKzBhT8tZ7_U9XWwE_P9AE8YJwk-F_HMCwGWwte+rw@mail.gmail.com>

> 2) How do you plan to handle the "upgrade case" that is will you try to
> change the permission on already created history file or will you just
> handle the creation case?

For redis, what I did was set and then unset the umask (for creation) and
chmod(2) the file afterwards to "upgrade" existing ones.

I don't recommend a postinst approach (ie. chmod 0600 /home/*/.filename) for
various reasons.


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Reply to:

Follow-Ups:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>

Next by Date: Redis not uploaded and timely security announcements
Next by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Index(es):
- Date
- Thread