[Secure-testing-team] Bug#484570: [motion] motion.conf world readable and thus writable through web interface by default

Thijs Kinkhorst thijs at debian.org
Thu Jun 5 08:41:13 UTC 2008


On Thu, June 5, 2008 10:25, Nico Golde wrote:
> I have some problems to follow that because I fail to see
> why a normal user should be able to read that file even if no credentials
> are included. I'm not sure if assuming an admin is capable of noticing 644
> rights and changing it to appropriate value is a good idea. I for myself
> would not expect this in /etc (I may be not a good admin :). This is also
> problematic as motion can log to different databases including the
> credentials for this as well in that file. However adding a note to the
> configuration file sounds like a good idea but the solution could be a lot
> simpler by changing the permissions.

Wouldn't that advocate to make nearly every file under /etc mode 0600,
since there's just a minority of those that need to be read by users?
Everything from inetd, apache, postfix, network/interfaces, ...


Thijs




More information about the Secure-testing-team mailing list