From owner-freebsd-security  Fri Apr  9  7:45:45 1999
Delivered-To: freebsd-security@freebsd.org
Received: from obie.softweyr.com (unknown [204.68.178.33])
	by hub.freebsd.org (Postfix) with ESMTP id 1347214C40
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Apr 1999 07:45:36 -0700 (PDT)
	(envelope-from wes@softweyr.com)
Received: from softweyr.com ([204.68.178.225])
	by obie.softweyr.com (8.8.8/8.8.8) with ESMTP id IAA27984;
	Fri, 9 Apr 1999 08:42:58 -0600 (MDT)
	(envelope-from wes@softweyr.com)
Message-ID: <370E0336.83577BA7@softweyr.com>
Date: Fri, 09 Apr 1999 07:40:06 -0600
From: Wes Peters <wes@softweyr.com>
Organization: Softweyr LLC
X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 3.1-RELEASE i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Daniel Hagan <dhagan@cs.vt.edu>
Cc: Robert Watson <robert+freebsd@cyrus.watson.org>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Foxfair Hu <foxfair@news.ks.edu.tw>, freebsd-security@FreeBSD.ORG
Subject: Re: Fw: Netscape 4.5 vulnerability
References: <Pine.OSF.4.02.9904090822170.21965-100000@vtopus.cs.vt.edu>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Daniel Hagan wrote:
> 
> On Thu, 8 Apr 1999, Robert Watson wrote:
> 
> > >     The 'security hole' is that netscape doesn't make the .netscape
> > >     directory 700.  I'd report it to netscape.  I dunno whether they
> > >     will do anything about it, though.
> >
> > Huh.  Didn't do that for me; mine is safely readable and writable only for
> > my uid.
> 
> What's your umask?  If you use umask 077, then this is what I would
> expect, but "typical" users who don't change it from 022 would probably
> end up with a 755 .netscape directory.  Netscape should be smart enough to
> at least set the profile file to 600, if not the entire directory to 700.

My umask is 022 and my .netscape directory is 700.  I didn't change it,
so Netscape must have created it that way.  This is Communicator 4.5
(linux version; it's more reliable than the FreeBSD binary) on 3.1.

-- 
       "Where am I, and what am I doing in this handbasket?"

Wes Peters                                                 Softweyr LLC
http://www.softweyr.com/~softweyr                      wes@softweyr.com


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message