Full Disclosure mailing list archives
Scope of Debian's /home/loser is with permissions 755, default umask 002
From: Georgi Guninski <gguninski () gmail com>
Date: Thu, 12 Nov 2020 13:26:57 +0200
On Debian /home/loser is with permissions 755, default umask 0022 (If you don't understand the numbers, this means a lot of files are world readable). On multiuser machines this sucks much. Question: How much sensitive data can be read on default install? Partial results: 1. mutt (text email client) exposes ~/.mutt/muttrc, which might contain the imap password in plaintext. 2. Some time ago on a multiuser debian mirror we found a lot of data, including the wordpress password of the admin. 3. Anything created by EDITOR NEWFILE is readable, unless the directory prevents. This include root doing EDITOR /etc/NEWFILE Debian said won't fix: https://www.openwall.com/lists/oss-security/2020/10/07/4 Consider contracting me for gnu/linux security, CV: https://j.ludost.net/resumegg.pdf _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Scope of Debian's /home/loser is with permissions 755, default umask 002 Georgi Guninski (Nov 12)
- Re: Scope of Debian's /home/loser is with permissions 755, default umask 002 bo0od (Nov 15)
- Re: Scope of Debian's /home/loser is with permissions 755, default umask 002 Pim van Stam (Nov 15)