On Sat, Mar 17, 2007 at 04:35:33PM +0100, Gaëtan LEURENT wrote: > Well, if your operating system creates world-readable coredump, you > should report this as a security vulnerabilty, because it is indeed one > (see http://www.securityfocus.com/bid/5737/info for instance). Indeed. And if the user/admin is unaware of this problem? This is precisely what I'm talking about. > Could it be that you too are somewhat ignorant in security matters? Not at all; you're making my point. The authors of Mutt have no way to know what system any given user is using, or what inherent security oversights may be present in that OS. If a user of Mutt were on an early Irix 6.5 release, this would be a concern for them. Note that the concern in the vulnerability you mention was specifically for the root user... it makes no mention of regular users. It is not clear what the actual implemented fix was, nor that the "fix" actually changes the default for regular users. Barring gross negligence in the extreme on the OS designer's part, Mutt using a umask of 077 solves the problem, guaranteed, no matter what the operating system does. And this protection is provided at the low, low cost of the user occasionally having to run chmod when they actually do want people to be able to read their files. -- Derek D. Martin http://www.pizzashack.org/ GPG Key ID: 0xDFBEAD02 -=-=-=-=- This message is posted from an invalid address. Replying to it will result in undeliverable mail. Sorry for the inconvenience. Thank the spammers.
Attachment:
pgpKLBkgh1WWk.pgp
Description: PGP signature