Bugtraq mailing list archives
Re: J-Pilot Permissions Vulnerability
From: Christopher Palmer <chrisp () BITSTREAM NET>
Date: Mon, 18 Dec 2000 16:12:09 -0600
On Fri, Dec 15, 2000 at 06:48:22PM -0500, Rich Lafferty wrote:
Isn't that *expected* behavior? umask is used to set the default permission bits for file creation, and J-Pilot creates files with the permissions you specify in your umask. If you don't want new files created group-writeable, then set your umask so they're not!
J-Pilot may be doing what the user asks for, as you say, even if the user doesn't know she's asking for this bad behavior. (I call it `bad' because I doubt you can find a user anywhere that wants their grocery list world-readable or whatever.) I'm a fairly experienced UNIX user, and this bug bit me, too--I never expected J-Pilot to make my stuff anything other than 600. The problem is that even if a user knows about the situation, they don't necessarily want to go changing their umask everytime they launch and quit from J-Pilot--so you've got inconvenience butting heads with security, as ever. The simple solution in this case is for J-Pilot to write files in mode 600, as probably every user everywhere will want. I could write a very simple wrapper to make J-Pilot have the right umask, but why should security be for only those in the know? -- Christopher Palmer Bitstream Underground
Current thread:
- J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 15)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Robert Bihlmeyer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Rich Lafferty (Dec 18)
- Re: J-Pilot Permissions Vulnerability Christopher Palmer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Christian (Dec 18)
- <Possible follow-ups>
- Re: J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 18)
- Re: J-Pilot Permissions Vulnerability Scott Nelson (Dec 20)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)