[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] FileCache: tmp file permission vulnerability.

To: bugs@xxxxxxxxxxx, thecrux@xxxxxxxxx
Subject: Re: [Full-disclosure] FileCache: tmp file permission vulnerability.
From: paul.szabo@xxxxxxxxxxxxx
Date: Sat, 3 Apr 2010 17:35:24 +1100

Vladimir Lettiev <thecrux@xxxxxxxxx> wrote:

>> Perl Cache-Cache-1.06 ... stores its default file cache
>> in /tmp with world read/write permissions. ...
>
> This is documented behaviour. You can override insecure default cache
> root and umask with options 'cache_root' and 'directory_umask':
> use Cache::FileCache;
> use File::Temp qw/ tempdir /;
> my $cache = new Cache::FileCache( {
>     'cache_root' => tempdir('CacheXXXXX'),
>     'directory_umask' => 077,
> } );

The default should be secure. Interested people, with intimate knowledge
of inner workings, might go to contortions and change to insecure.

Cheers, Paul

Paul Szabo   psz@xxxxxxxxxxxxxxxxx   http://www.maths.usyd.edu.au/u/psz/
School of Mathematics and Statistics   University of Sydney    Australia

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- Re: [Full-disclosure] FileCache: tmp file permission vulnerability.
  - From: Vladimir Lettiev

Prev by Date: Re: [Full-disclosure] FileCache: tmp file permission vulnerability.
Next by Date: [Full-disclosure] Sun D3VS SM0KiNG PoT AGAiN
Previous by thread: Re: [Full-disclosure] FileCache: tmp file permission vulnerability.
Next by thread: [Full-disclosure] [SECURITY] [DSA 2026-1] New netpbm-free packages fix denial of service
Index(es):
- Date
- Thread