[Secure-testing-team] Bug#484570: [motion] motion.conf world readable and thus writable through web interface by default
Nico Golde
debian-secure-testing+ml at ngolde.de
Thu Jun 5 08:25:54 UTC 2008
Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-06-05 08:56]:
> Hi Nico,
>
> On Thursday 5 June 2008 01:41, Nico Golde wrote:
> > That basically makes the control_authentication which is
> > used for http authentication useless as an attacker can read
> > login credentials and then change the configuration to
> > whatever he likes via the web interface of motion (for
> > example switching off motion detection).
>
> As I understand it this is a fully optional feature not enabled by default.
Yes.
> When such issues are reported to the stable security team we usually consider
> them to be a non-issue following this reasoning: when an administrator
> explicitly edits a config file to add credentials to it, that administrator
> should be considered capable enough to check whether the file is secured.
>
> Many applications allow for optional secrets to be added, e.g. my Postfix
> main.cf has a SASL username & password, but we don't require the Postfix'
> main.cf to be 0600 in a default installation. Normally we respond with this
> reasoning and advise the maintainer to add a comment right above the setting
> to remind the administrator of the file's permissions.
I have some problems to follow that because I fail to see
why a normal user should be able to read that file even if
no credentials are included. I'm not sure if assuming an
admin is capable of noticing 644 rights and changing it to
appropriate value is a good idea. I for myself would not expect
this in /etc (I may be not a good admin :). This is also
problematic as motion can log to different databases
including the credentials for this as well in that file.
However adding a note to the configuration file sounds like
a good idea but the solution could be a lot simpler by
changing the permissions.
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/9e4a61fc/attachment.pgp
More information about the Secure-testing-team
mailing list