Bugtraq mailing list archives
Re: J-Pilot Permissions Vulnerability
From: Robert Bihlmeyer <robbe () ORCUS PRIV AT>
Date: Tue, 19 Dec 2000 12:25:59 +0100
Judd Montgomery <judd () ENGINEER COM> writes:
J-Pilot has always used the pre set umask when creating directories and files, therefore I have never considered this to be a security risk. It is up to the system administrator or the user to set the umask to his/her liking.
I think the umask concept is lacking here. I need at least two general levels of modes: I'm perfectly happy with other users reading (executing) my shell scripts, source code, etc. - so I generally leave the umask somewhere near 022. OTOH, there's definitely data that I would like to keep private from everybody, or everybody outside my group: private notes, financial data, my mail, bookmarks, and so on. The only way one can reach this goal with umask is with wrapper scripts (for example, gnucash could be wrapped by "(umask 077; gnucash.real)"). For notes, I'd have to have two instances of Emacs (public and private) running. Messy. The alternative is to give more responsibility to applications. I think a good approximation for J-Pilot would be to OR the umask with 044, iff there are any private records present. Other apps that sometimes save private information could perhaps support a "private mode" (i.e. an editor could offer a command to later save a buffer with private umask). Of course, ALL apps should preserve the mode of existing files unless told otherwise ... -- Robbe
Attachment:
signature.ng
Description:
Current thread:
- J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 15)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Robert Bihlmeyer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Rich Lafferty (Dec 18)
- Re: J-Pilot Permissions Vulnerability Christopher Palmer (Dec 19)
- Re: J-Pilot Permissions Vulnerability Judd Montgomery (Dec 16)
- Re: J-Pilot Permissions Vulnerability Christian (Dec 18)
- <Possible follow-ups>
- Re: J-Pilot Permissions Vulnerability Weston Pawlowski (Dec 18)
- Re: J-Pilot Permissions Vulnerability Scott Nelson (Dec 20)
- Re: J-Pilot Permissions Vulnerability Ryan W. Maple (Dec 16)