oss-sec mailing list archives

Question about world readable config files and commented warnings

From: Kurt Seifried <kseifried () redhat com>
Date: Mon, 29 Jun 2015 23:11:08 -0600

So, if a config file is world readable by default, but the section where
you might put a password says:

########
# Database URI for the database that stores the package information. If it
# contains a password, make sure to adjust the permissions of the config
########

Is that good enough, e.g. no CVE, or do we actually need to have proper
permissions?

I'm thinking we need proper permissions and not a note (especially with
administration tools/etc that may parse/modify the file but not change
the perms). Thoughts/comments/final decision from Mitre is welcome.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Attachment: signature.asc
Description: OpenPGP digital signature

Current thread:

Question about world readable config files and commented warnings Kurt Seifried (Jun 29)
- Re: Question about world readable config files and commented warnings gremlin (Jun 29)
  - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Question about world readable config files and commented warnings vladz (Jun 30)
    - Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
- Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
  - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Re: Question about world readable config files and commented warnings Seth Arnold (Jun 30)
    - Re: Question about world readable config files and commented warnings cve-assign (Jun 30)
    - Re: Question about world readable config files and commented warnings Kurt Seifried (Jun 30)
    - Re: Question about world readable config files and commented warnings cve-assign (Jun 30)