From owner-freebsd-security Fri Apr 9 15:11:30 1999 Delivered-To: freebsd-security@freebsd.org Received: from phoenix.unacom.com (unacom.com [206.113.48.2]) by hub.freebsd.org (Postfix) with SMTP id 8072D15F22 for ; Fri, 9 Apr 1999 15:06:35 -0700 (PDT) (envelope-from geniusj@phoenix.unacom.com) Received: (qmail 74474 invoked by uid 1000); 9 Apr 1999 14:57:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 9 Apr 1999 14:57:37 -0000 Date: Fri, 9 Apr 1999 10:57:37 -0400 (EDT) From: The Tech-Admin Dude To: Wes Peters Cc: Daniel Hagan , Robert Watson , Matthew Dillon , Foxfair Hu , freebsd-security@FreeBSD.ORG Subject: Re: Fw: Netscape 4.5 vulnerability In-Reply-To: <370E0336.83577BA7@softweyr.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 9 Apr 1999, Wes Peters wrote: > Daniel Hagan wrote: > > > > On Thu, 8 Apr 1999, Robert Watson wrote: > > > > > > The 'security hole' is that netscape doesn't make the .netscape > > > > directory 700. I'd report it to netscape. I dunno whether they > > > > will do anything about it, though. > > > > > > Huh. Didn't do that for me; mine is safely readable and writable only for > > > my uid. > > > > What's your umask? If you use umask 077, then this is what I would > > expect, but "typical" users who don't change it from 022 would probably > > end up with a 755 .netscape directory. Netscape should be smart enough to > > at least set the profile file to 600, if not the entire directory to 700. > > My umask is 022 and my .netscape directory is 700. I didn't change it, > so Netscape must have created it that way. This is Communicator 4.5 > (linux version; it's more reliable than the FreeBSD binary) on 3.1. > > -- > "Where am I, and what am I doing in this handbasket?" > > Wes Peters Softweyr LLC > http://www.softweyr.com/~softweyr wes@softweyr.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > I'm using the FreeBSD binary and it is only readable to my UID also, and I have not changed a thing.. One is not more reliable than the other, its the same code folks.. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message