Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

To: Chris Lamb <lamby@debian.org>
Cc: Ola Lundqvist <ola@inguza.com>, 832908@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, kpcyrd@rxv.cc, László Böszörményi <gcs@debian.org>, Salvatore Bonaccorso <carnil@debian.org>
Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
From: Ola Lundqvist <ola@inguza.com>
Date: Wed, 3 Aug 2016 00:05:31 +0200
Message-id: <[🔎] CABY6=0nBc9wfwzDwomb=yQYyr4QJbdR9HqOLx7AG_zW61ZWxeg@mail.gmail.com>
In-reply-to: <[🔎] 1470175255.3127846.684220689.12A8C7CC@webmail.messagingengine.com>
References: <CABY6=0=eDKzBhT8tZ7_U9XWwE_P9AE8YJwk-F_HMCwGWwte+rw@mail.gmail.com> <[🔎] 1470023627.982933.682182961.5886488C@webmail.messagingengine.com> <[🔎] CABY6=0mA_8y6hpbobNKh4SWj9qz-2S8+MZWz5x-8wNunwO-8FA@mail.gmail.com> <[🔎] CABY6=0kLZWLpPB1+2oXu9COe8KezDWNGb7rGeZnR8akyGf4BjA@mail.gmail.com> <[🔎] CABY6=0kF3ZP11r_ipMUteXHzVAOXWJcF40Pi_LUdAAkm2nuJ8g@mail.gmail.com> <[🔎] 1470158088.2374063.683937161.2562FD51@webmail.messagingengine.com> <[🔎] CABY6=0kW9uENqRppjmW09DprdZDsyWpwrxB1M7EkW=NhtszQAg@mail.gmail.com> <[🔎] 1470175255.3127846.684220689.12A8C7CC@webmail.messagingengine.com>

Hi Chris

I had this

// Make sure this file is not readable by others

But maybe it was not clear enough. :-)

// Ola

On Wed, Aug 3, 2016 at 12:00 AM, Chris Lamb <lamby@debian.org> wrote:

> This is why I just override the "world readable" part and
> let the rest be controlled by the user.

Ah, didn't quite spot you are overriding just this bit. Worth a comment
I think.

> In the working patch you can see that I also set back the umask (just a
> little further down in the file) as it was to just change this specific
> case of logging.

Well, sure, of course. :)

Regards,

--
,''`.
: :' : Chris Lamb
`. `'` lamby@debian.org / chris-lamb.co.uk
`-

--- Inguza Technology AB --- MSc in Information Technology ----

/ ola@inguza.com Folkebogatan 26 \

| opal@debian.org 654 68 KARLSTAD |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

\ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

---------------------------------------------------------------

Reply to:

References:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>

Prev by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Previous by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Index(es):
- Date
- Thread