On Thu, 2005-10-06 at 23:41 +0200, Martin Lohmeier wrote: > Mike O'Connor wrote: > > Package: horde3 > > Version: 3.0.5-1 > > Severity: critical > > Tags: security > > Justification: root security hole > > > > In the README.Debian, in section 6. it is recommended that the end > > user executes: > > > > chown root.www config/* > > chmod 0440 config/* > > > > becuase the "Some of Horde's configuration files contain passwords which > > local users could use to access your database". > > > > This is somehting that should be done by the maintainer scripts and not > > left up to the end user to do. > > Hi Mike, > > this is done for security reasons (don't let someone configure horde who > points his / her browser to www.example.com/horde; this should only > happen if YOU want this). Browse the BTS archiv of horde3, I think I've > submitted something similar a few month ago. > > bye, Martin >
I don't understand you explaination. the files are installed as 0644 meaning that they are worl readable. I don't understand why they would be installed as 0644 instead of 0440 for security reasons. stew -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
