[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: /home/loser is with permissions 755, default umask 0022

On 13-11-2020 08:18, Georgi Guninski wrote:

Some more exploit vectors from the FD list:
https://seclists.org/fulldisclosure/2020/Nov/13

Partial results:

1. mutt (text email client) exposes ~/.mutt/muttrc,
which might contain the imap password in plaintext.
Interesting find. Please report this to the mutt package maintainer using reportbug[1]. 



2. Some time ago on a multiuser debian mirror we found a lot of data,
including the wordpress password of the admin.
As Giacomo already explained, there is nothing an OS can do to stop the insecure behavior of its users. 



3. Anything created by EDITOR NEWFILE is readable, unless the directory
prevents. This include root doing EDITOR /etc/NEWFILE
Yes, that is indeed the default. If you don't like it, you can change the system umask in /etc/login.defs or /etc/profile
Somehow I get the feeling you are using debian-security@lists.debian.org to report a security issues with Debian. This is however just a discussion mailing list about Debian security. If you wish to report a serious security issue (which I did not find in your E-mails) you need to contact the Debian Security Team[2]. 

Kind regards,

Richard

[1]: https://wiki.debian.org/reportbug
[2]: https://www.debian.org/security/faq#contact
Reply to: