From owner-freebsd-security Fri Apr 9 5:27:27 1999 Delivered-To: freebsd-security@freebsd.org Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24]) by hub.freebsd.org (Postfix) with ESMTP id 62A5C14FEB for ; Fri, 9 Apr 1999 05:27:24 -0700 (PDT) (envelope-from dhagan@vtopus.cs.vt.edu) Received: (from dhagan@localhost) by vtopus.cs.vt.edu (8.9.1a/8.9.1) id IAA18415; Fri, 9 Apr 1999 08:24:41 -0400 (EDT) Date: Fri, 9 Apr 1999 08:24:40 -0400 (EDT) From: Daniel Hagan To: Robert Watson Cc: Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 8 Apr 1999, Robert Watson wrote: > > The 'security hole' is that netscape doesn't make the .netscape > > directory 700. I'd report it to netscape. I dunno whether they > > will do anything about it, though. > > Huh. Didn't do that for me; mine is safely readable and writable only for > my uid. What's your umask? If you use umask 077, then this is what I would expect, but "typical" users who don't change it from 022 would probably end up with a 755 .netscape directory. Netscape should be smart enough to at least set the profile file to 600, if not the entire directory to 700. Daniel -- Daniel Hagan Computer Systems Engineer dhagan@cs.vt.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message