From owner-freebsd-security  Fri Apr  9  5:42:51 1999
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP id 669D5150E8
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Apr 1999 05:42:48 -0700 (PDT)
	(envelope-from robert@cyrus.watson.org)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id IAA19937;
	Fri, 9 Apr 1999 08:40:04 -0400 (EDT)
	(envelope-from robert@cyrus.watson.org)
Date: Fri, 9 Apr 1999 08:40:04 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@fledge.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: Daniel Hagan <dhagan@cs.vt.edu>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Foxfair Hu <foxfair@news.ks.edu.tw>, freebsd-security@FreeBSD.ORG
Subject: Re: Fw: Netscape 4.5 vulnerability
In-Reply-To: <Pine.OSF.4.02.9904090822170.21965-100000@vtopus.cs.vt.edu>
Message-ID: <Pine.BSF.3.96.990409083923.19913A-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 9 Apr 1999, Daniel Hagan wrote:

> On Thu, 8 Apr 1999, Robert Watson wrote:
> 
> > >     The 'security hole' is that netscape doesn't make the .netscape
> > >     directory 700.  I'd report it to netscape.  I dunno whether they
> > >     will do anything about it, though.
> > 
> > Huh.  Didn't do that for me; mine is safely readable and writable only for
> > my uid.  
> 
> What's your umask?  If you use umask 077, then this is what I would
> expect, but "typical" users who don't change it from 022 would probably
> end up with a 755 .netscape directory.  Netscape should be smart enough to
> at least set the profile file to 600, if not the entire directory to 700.

Well, it's 077 on my multi-user machines, but 022 on the notebook which I
tested on.

  Robert N Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: 03 01 DD 8E 15 67 48 73  25 6D 10 FC EC 68 C1 1C

Carnegie Mellon University            http://www.cmu.edu/
TIS Labs at Network Associates, Inc.  http://www.tis.com/
Safeport Network Services             http://www.safeport.com/



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message