Bugtraq mailing list archives
Addendum to FrontPage password issue
From: root () VICTIM COM (hostmaster)
Date: Fri, 9 Jan 1998 17:05:21 -0800
Upon further review, the problem is not as severe as I originally thought. Everything is set umask 002 only if a group is specified on the fp_install command line (i.e. you don't want everything owned by group root). And they're world-readable because the web server (presumably running as nobody) has to be able to read them to do HTTP authentication. The permissions _can_ be succesfully changed. In my case, I used a Solaris ACL to give the httpd user read permission and set the password files to 0600, and changed the umask in the fp_install script to be a little less trusting. YMMV - changing the permissions made it bomb the first time around, but its working for me now. Sorry for the false alarm. There are still some very strange things going on with the default installation scripts' use of permissions and I intend to review this more thoroughly over the weekend. -- Dave Pifke, dave () victim com
Current thread:
- Addendum to FrontPage password issue hostmaster (Jan 09)
- Re: Addendum to FrontPage password issue Kosmas Skiadopoulos (Jan 11)
- perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- Again: perl version of that tin opener (IOS decrypt.c) Riku Meskanen (Jan 11)
- bug in Solaris 2.6 security logging Ruth Milner [VLA] (Jan 12)
- Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- [SIGNED] Buffer overflows in Deliver: get 2.1.13 Chip Salzenberg (Jan 12)
- KSR[T] Advisory #6: deliver KSR[T] (Jan 12)
- Re: KSR[T] Advisory #6: deliver Chip Salzenberg (Jan 12)
- hole in sudo for MP-RAS. osiris () COURIER CB LUCENT COM (Jan 12)
- Re: hole in sudo for MP-RAS. Cy Schubert - ITSD Open Systems Group (Jan 12)
(Thread continues...)