oss-sec mailing list archives
Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files
From: "Patrick J. Volkerding" <security () slackware com>
Date: Mon, 24 Sep 2012 21:05:38 -0500
On 09/24/2012 12:13 PM, Michael Gilbert wrote:
In addition, piping would need to be permissions-aware to achieve the following: $ umask 077 $ touch sensitive-file $ umask 022 $ cat sensitive-file > sensitive-file2 $ ls -l sensitive-file* -rw------- 1 a a 0 Sep 24 13:09 sensitive-file -rw------- 1 a a 0 Sep 24 13:09 sensitive-file2
Piping is already permissions aware. It uses the umask. IMO, any attempt to add another check in the shell to make a newly created file retain the permissions of whatever input it was derived from would be a misguided effort, and likely to cause breakage. Any script that cares about this should already be controlling the permissions through the umask, and having the output file's access created in a way that does not respect the umask could be an unwelcome surprise.
Pat
Current thread:
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files, (continued)
- Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Michael Gilbert (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Steven M. Christey (Sep 24)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Matthias Weckbecker (Sep 25)
- Re: Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 26)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Patrick J. Volkerding (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Kurt Seifried (Sep 24)
- Re: Re: Re: CVE request(?): gpg: improper file permssions set when en/de-crypting files Tavis Ormandy (Sep 24)