[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Zip 2,31 bad default file-permissions vulnerability

On Thursday, 2005-08-04 at 15:17:35 -0700, Stephen C Woods wrote:

>   The problem is the zip uses a default mode of 666 (not knowing
> anything about permissions by definition -it's a DOS program for Pete's
> sake, you know single user file server).

I still don't understand why this is a problem. If it were a problem, it
would be one of humongous dimensions because it affects all programs
that use open(..., 0666) to create non-executable files potentially
containing sensitive contents. For example all editors. And all shells
because any redirection could create such a file.

If you work on confidential information, your umask should be 077. In a
bank I worked for this was prescribed for the superuser account. Made
for a lot of admin problems because root rarely creates files with
confidential information, but frequently files that must be readable
for anyone...

Lupe Christoph
-- 
| You know we're sitting on four million pounds of fuel, one nuclear     |
| weapon and a thing that has 270,000 moving parts built by the lowest   |
| bidder. Makes you feel good, doesn't it?                               |
| Rockhound in "Armageddon", 1998, about the Space Shuttle               |