<<< Date Index >>>     <<< Thread Index >>>

Re: [PATCH] Add $umask for mailboxes and attachments



On Sat, Mar 17, 2007 at 02:50:33PM +0100, Oswald Buddenhagen wrote:
> On Sat, Mar 17, 2007 at 12:05:49AM -0400, Derek Martin wrote:
> > [stuff about strict umask and in another thread about hard-coded
> > paths]
> >
> in short, all this stuff is discussing securing the door of a blown-up
> house. mutt is just one application. if umask (or the ~/ mode) or PATH
> are not set sensibly for *all* apps, you can conceive any number of
> attacks against mutt or the data it produces/processes.

There's no denying such a user is inviting trouble, but your argument
is really a red herring.  In this case, it is worth being EXTRA
cautious, because Mutt is BY DESIGN meant to deal primarily with
untrusted data from an outside source.  If a local user is able to
read another local user's local documents, because the victim was too
careless or ignorant to protect them with a sufficient umask or
whatever, that's one level of attack, and the risk is relatively low.
Local users are always a threat, and in most cases is really hard to
secure against their malicious activities.  They have physical access
(or at the very least, permitted remote access), and at least to some
degree, they MUST be trusted.  But even though this is true, that is
not a good argument AGAINST Mutt helping the security-ignorant user to
protect himself (and whatever organization he may be working for) from
local users.

However, for at least some (and possibly all) of the issues we've been
discussing, not getting these things right elevates the risk
substantially, by potentially exposing data to OUTSIDE entities, who
normally would have no access whatsoever.  That's a much bigger
problem, and Mutt (and all programs) should do whatever they can to
prevent it.  Not every program a user will use will do a good job...
but that is not a reason for Mutt to fall down.

Security is hard, and there is no such thing as perfect security.
Your sentiment above seems to amount to "It's hopeless anyway, so
don't bother."  That's not a very good way to approach the problem.
Get right what you can get right.

-- 
Derek D. Martin    http://www.pizzashack.org/   GPG Key ID: 0xDFBEAD02
-=-=-=-=-
This message is posted from an invalid address.  Replying to it will result in
undeliverable mail.  Sorry for the inconvenience.  Thank the spammers.

Attachment: pgpzueRIAk7qi.pgp
Description: PGP signature