oss-sec mailing list archives
Re: Question about world readable config files and commented warnings
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 30 Jun 2015 10:32:56 -0600
On 06/30/2015 09:55 AM, cve-assign () mitre org wrote:
# Database URI for the database that stores the package information. If it # contains a password, make sure to adjust the permissions of the configIn the "If it contains a password, make sure" scenario that you mentioned, it seems entirely reasonable for the default permissions to reflect the author's preference for the normal case. (A password in a URI might be rare.) In other words, the author may want to optimize for situations where configuration data is read by users or administrators who login with an unprivileged account for most day-to-day work. Alternatively, in some cases a configuration approach could be redesigned to use separate files for sensitive data elements.
Ok, so does a situation where the author creates the config file with that warning, and then a vendor repackages and ships it, still world readable, still with the warning, warrant a CVE? -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Question about world readable config files and commented warnings Kurt Seifried (Jun 29)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings vladz (Jun 30)
- Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
- Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)