Re: Question about world readable config files and commented warnings

[Kurt Seifried <kseifried () redhat com>]

On 06/30/2015 09:55 AM, cve-assign () mitre org wrote:
> > # Database URI for the database that stores the package information. If it
> > # contains a password, make sure to adjust the permissions of the config
>
> In the "If it contains a password, make sure" scenario that you
> mentioned, it seems entirely reasonable for the default permissions to
> reflect the author's preference for the normal case. (A password in a
> URI might be rare.) In other words, the author may want to optimize
> for situations where configuration data is read by users or
> administrators who login with an unprivileged account for most
> day-to-day work. Alternatively, in some cases a configuration approach
> could be redesigned to use separate files for sensitive data elements.

Ok, so does a situation where the author creates the config file with
that warning, and then a vendor repackages and ships it, still world
readable, still with the warning, warrant a CVE?


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com

Attachment: signature.asc
Description: OpenPGP digital signature