Hi Thibaut, you made a good point from how I see it. I could imagine a group of users that is assigned to the boinc group for editing the files. Should the permission then not rather be 660 ?
Many greetings Steffen (who has collected 490 credits since you pointed him to boincsimap) On Saturday 20 January 2007 13:28, Thibaut VARENE wrote: > Package: boinc-client > Version: 5.4.11-4 > Severity: normal > > boinc-client default install sets the following modes on > /etc/boinc-client/gui_rpc_auth.cfg: > -rw-r--r-- 1 boinc boinc 8 Jan 14 01:01 gui_rpc_auth.cfg > > By default it doesn't contain any password, but if an admin adds one > without checking the permissions, this password will be available to any > user on the system (allowing them to control the boinc daemon, and > potentially detach/attach projects, etc). > > Also, given the owner of this file is user 'boinc', the boinc daemon > itself could overwrite the contents of this file. An attacker finding a > programing flaw in the software could take advantage of this as well. > > This also applies to a lesser extent to the other files in the > /etc/boinc-client directory. > > Thus, it seems to me that the files in the /etc/boinc-client directory > should be 640 root:boinc instead of 644 boinc:boinc > > HTH > > T-Bone > > -- System Information: > Debian Release: 4.0 > APT prefers testing > APT policy: (500, 'testing') > Architecture: powerpc (ppc) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.19-ck2 > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > Versions of packages boinc-client depends on: > ii adduser 3.101 Add and remove users and > groups ii debconf 1.5.11 Debian configuration > management sy ii libc6 2.3.6.ds1-8 GNU C Library: > Shared libraries ii libcomer 1.39+1.40-WIP-2006.11.14+dfsg-1 common error > description library ii libcurl3 7.15.5-1 > Multi-protocol file transfer libra ii libgcc1 1:4.1.1-19 > GCC support library > ii libidn11 0.6.5-1 GNU libidn library, > implementation ii libkrb53 1.4.4-6 MIT Kerberos > runtime libraries ii libssl0. 0.9.8c-4 SSL shared > libraries > ii libstdc+ 4.1.1-19 The GNU Standard C++ Library > v3 ii lsb-base 3.1-22 Linux Standard Base 3.1 > init scrip ii python 2.4.4-2 An interactive > high-level object-o ii zlib1g 1:1.2.3-13 > compression library - runtime > > boinc-client recommends no packages. > > -- debconf information excluded -- Dr. Steffen Möller University of Lübeck Institute of Neuro- and Bioinformatics Ratzeburger Allee 160 23538 Lübeck Germany T: +49 451 500 5504 F: +49 451 500 5502 [EMAIL PROTECTED]
pgpYQMoCCoYSB.pgp
Description: PGP signature
