Re: Possible security violation in the suck-package?
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
* Marcus Frings <iam-est-hora-surgere@fuckmicrosoft.com> [021207 00:52]:
> Hello,
>
> I just migrated from leafnode to inn + suck on my Debian Woody box.
> After installing suck I think I have discovered a possible security
> violation. /etc/suck/get-news.conf is installed as root:root with
> default file permissions 644. This means that $WORLD can read passwords
> from this file which are stored there to get access to the upstream
> newsserver.
right.
> IIRC /usr/sbin/get-news has to be run as user "news" and not as "root"
> thus the script won't work if I change the permissions of get-news.conf
> to 600 or 640. Or am I completely wrong and get-news should be started
> as "root"? Anyway, 644 as default for files which store passwords is
> pretty weird in my opinion.
> Any comments concerning this are very welcome.
I would agree giving anyone else the posibility of reading the passwords of
your upstream-newsserver wont be a good idea :)
That should be definetifly fixed.
reguards
Martin
- --
|------------------------------------------------------------
| Martin Helas mhelas@helas.net
| PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0
|------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE98TwjeSmrkPesOvARAgGhAJ0bvEparbObee04w9QwtfRs/iYjhgCgkEhN
0txLkmMazOOLcbYVOJIE7/E=
=8kgV
-----END PGP SIGNATURE-----
Reply to: