Re: Zip 2,31 bad default file-permissions vulnerability
On Thursday, 2005-08-04 at 15:17:35 -0700, Stephen C Woods wrote:
> The problem is the zip uses a default mode of 666 (not knowing
> anything about permissions by definition -it's a DOS program for Pete's
> sake, you know single user file server).
I still don't understand why this is a problem. If it were a problem, it
would be one of humongous dimensions because it affects all programs
that use open(..., 0666) to create non-executable files potentially
containing sensitive contents. For example all editors. And all shells
because any redirection could create such a file.
If you work on confidential information, your umask should be 077. In a
bank I worked for this was prescribed for the superuser account. Made
for a lot of admin problems because root rarely creates files with
confidential information, but frequently files that must be readable
for anyone...
Lupe Christoph
--
| You know we're sitting on four million pounds of fuel, one nuclear |
| weapon and a thing that has 270,000 moving parts built by the lowest |
| bidder. Makes you feel good, doesn't it? |
| Rockhound in "Armageddon", 1998, about the Space Shuttle |