Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

To: debian-lts@lists.debian.org
Subject: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
From: Emilio Pozuelo Monfort <pochu@debian.org>
Date: Wed, 3 Aug 2016 00:16:13 +0200
Message-id: <[🔎] bcb2f824-3d27-6a77-d888-e1c780f5bd49@debian.org>
In-reply-to: <[🔎] CABY6=0kW9uENqRppjmW09DprdZDsyWpwrxB1M7EkW=NhtszQAg@mail.gmail.com>
References: <CABY6=0=eDKzBhT8tZ7_U9XWwE_P9AE8YJwk-F_HMCwGWwte+rw@mail.gmail.com> <[🔎] 1470023627.982933.682182961.5886488C@webmail.messagingengine.com> <[🔎] CABY6=0mA_8y6hpbobNKh4SWj9qz-2S8+MZWz5x-8wNunwO-8FA@mail.gmail.com> <[🔎] CABY6=0kLZWLpPB1+2oXu9COe8KezDWNGb7rGeZnR8akyGf4BjA@mail.gmail.com> <[🔎] CABY6=0kF3ZP11r_ipMUteXHzVAOXWJcF40Pi_LUdAAkm2nuJ8g@mail.gmail.com> <[🔎] 1470158088.2374063.683937161.2562FD51@webmail.messagingengine.com> <[🔎] CABY6=0kW9uENqRppjmW09DprdZDsyWpwrxB1M7EkW=NhtszQAg@mail.gmail.com>

On 02/08/16 23:57, Ola Lundqvist wrote:
> Hi Chris
> 
> The reason I do not simply set the umask to a fixed value is to use the same 
> principle as upstream. That is honor the umask set bu the user. There may be 
> reasons why group read and/or write should be set for example.
> 
> I agree with upstream that the umask should be honored, but not as strictly as 
> upstream do. This is why I just override the "world readable" part and let the 
> rest be controlled by the user.
> 
> In the working patch you can see that I also set back the umask (just a little 
> further down in the file) as it was to just change this specific case of logging.
> 
> More clear now?

What do other programs do for similar files? My .bash_history is 0600 even
though my umask is 0022. Having a umask that allows other users to read your
files by default doesn't mean sensitive-information should be made available. So
perhaps you should ignore if the umask allows the group to read files?

Cheers,
Emilio

Reply to:

Follow-Ups:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>

References:
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Chris Lamb <lamby@debian.org>
- Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by Date: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Previous by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Next by thread: Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling
Index(es):
- Date
- Thread