Package: sshuttle Version: 0.54-2 Severity: normal Tags: security With -H, sshuttle writes a ~/.sshuttle.hosts file on the remote ssh server host. It seems to contain a lot of dns hostnames. Not just local hostnames, but random websites visited via sshuttle, etc. The file is left lying around after sshuttle exits.
The file mode is default umask, so if the user is letting their home directory be viewed by default and locking down sensative files they create, the whole list will he exposed to anyone else on the host. I think the file should at least use a locked down permissions by default, or better, should not exist at all. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-0.bpo.1-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sshuttle depends on: ii iptables 1.4.21-2 ii openssh-client [ssh-client] 1:6.6p1-7 ii python 2.7.8-1 Versions of packages sshuttle recommends: ii sudo 1.8.9p5-1 sshuttle suggests no packages. -- no debconf information -- see shy jo
signature.asc
Description: Digital signature
