[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Possible security violation in the suck-package?


I just migrated from leafnode to inn + suck on my Debian Woody box.
After installing suck I think I have discovered a possible security
violation. /etc/suck/get-news.conf is installed as root:root with
default file permissions 644. This means that $WORLD can read passwords
from this file which are stored there to get access to the upstream
IIRC /usr/sbin/get-news has to be run as user "news" and not as "root"
thus the script won't work if I change the permissions of get-news.conf
to 600 or 640. Or am I completely wrong and get-news should be started
as "root"? Anyway, 644 as default for files which store passwords is
pretty weird in my opinion.
Any comments concerning this are very welcome.

Fickle minds, pretentious attitudes
and ugly make-up on ugly faces...
The Goth Goose Of The Week: http://www.gothgoose.net

Attachment: pgprstrj9o4qo.pgp
Description: PGP signature

Reply to: