[Secure-testing-team] Bug#484570: [motion] motion.conf world readable and thus writable through web interface by default

Nico Golde debian-secure-testing+ml at ngolde.de
Thu Jun 5 08:49:43 UTC 2008


Hi Thijs,
* Thijs Kinkhorst <thijs at debian.org> [2008-06-05 10:44]:
> On Thu, June 5, 2008 10:25, Nico Golde wrote:
> > I have some problems to follow that because I fail to see
> > why a normal user should be able to read that file even if no credentials
> > are included. I'm not sure if assuming an admin is capable of noticing 644
> > rights and changing it to appropriate value is a good idea. I for myself
> > would not expect this in /etc (I may be not a good admin :). This is also
> > problematic as motion can log to different databases including the
> > credentials for this as well in that file. However adding a note to the
> > configuration file sounds like a good idea but the solution could be a lot
> > simpler by changing the permissions.
> 
> Wouldn't that advocate to make nearly every file under /etc mode 0600,
> since there's just a minority of those that need to be read by users?
> Everything from inetd, apache, postfix, network/interfaces, ...

What is your argument against that? I think yes, for those 
who can include passwords this should be the case for the 
simple reason that this is the simplest solution for the 
problem.
I see absolutely no argument in not doing this and forcing admins 
to check file permissions by themselves. To come 
back to your sasl example I also think the situation is slightly 
different. Getting your sasl credentials you can send mails 
through your smtp gateway, getting the motion credentials 
enables you to completely change the complete configuration 
through the web interface.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20080605/d091d734/attachment.pgp 


More information about the Secure-testing-team mailing list