Re: Question about world readable config files and commented warnings

[Kurt Seifried <kseifried () redhat com>]

On 06/30/2015 12:03 AM, gremlin () gremlin ru wrote:
> On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote:
>
>  > So, if a config file is world readable by default, but the section
>  > where you might put a password says:
>  > # Database URI for the database that stores the package
>  > # information. If it contains a password, make sure to
>  > # adjust the permissions of the config
>  > Is that good enough, e.g. no CVE, or do we actually need to have
>  > proper permissions?
>
> For me, that means: the developers did their best, everything else
> is up to package maintainers.
>
> And, obviously, when the administrators will fill in the connection
> parameters, they most likely will see this warning.
>
>  > I'm thinking we need proper permissions and not a note (especially
>  > with administration tools/etc that may parse/modify the file
>  > but not change the perms).
>
> My experience says that developers' attempts to perform chmod (or,
> even worse, chown) during `make install` are just ugly (at least
> they never check whether DESTDIR is empty).

From a developer perspective I somewhat agree, however I'm looking at
this from a vendor perspective where we do control the chmod, easily
(RPM spec file).


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Attachment: signature.asc
Description: OpenPGP digital signature