[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Possible security violation in the suck-package?



Hello,

I just migrated from leafnode to inn + suck on my Debian Woody box.
After installing suck I think I have discovered a possible security
violation. /etc/suck/get-news.conf is installed as root:root with
default file permissions 644. This means that $WORLD can read passwords
from this file which are stored there to get access to the upstream
newsserver.
IIRC /usr/sbin/get-news has to be run as user "news" and not as "root"
thus the script won't work if I change the permissions of get-news.conf
to 600 or 640. Or am I completely wrong and get-news should be started
as "root"? Anyway, 644 as default for files which store passwords is
pretty weird in my opinion.
Any comments concerning this are very welcome.

Regards,
Marcus
-- 
Fickle minds, pretentious attitudes
and ugly make-up on ugly faces...
The Goth Goose Of The Week: http://www.gothgoose.net

Attachment: pgpvc11BAzM0D.pgp
Description: PGP signature


Reply to: