[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Bug#832908: mongodb: CVE-2016-6494: world-readable .dbshell history file: LTS update and upgrade handling

On Wed, Aug 03, 2016 at 12:25:32AM +0200, Ola Lundqvist wrote:
>    Hi
>    Maybe. However if someone is added to a users group that should really
>    mean that they should at least be able to read things, even though they
>    may not be able to write to stuff. So I actually think bash and others do
>    the wrong thing here.
>    The way I have done it is also more in line with upstream opinion, even
>    though upstream think it is ok for even anyone to read this file.
>    New simplified and with better comments attached to this mail.
>    Best regards

There is likely a reasonable difference between files like .bash_history
(which are meant to be used/accessed only by the creating user) and
files which are possibly or likely to be shared amongst a group of
users.  This case seems to be of the latter form.



Roberto C. Sánchez

Attachment: signature.asc
Description: Digital signature

Reply to: