Package: tramp Version: 1:2.0.47-1 Severity: normal Tags: security I just noticed that when I edited a buffer /su::/etc/apache/axkit.conf and file /tmp/#axkit.conf# was created. axkit.conf is owned by root:root on my system, and is readable only to root: -rw------- 1 root root 4901 Feb 17 12:39 axkit.conf I don't want the contents of that file exposed... :-)
The problem is that the temporary file gets a different set of permissions: -rw-r--r-- 1 kjetil kjetil 4900 Feb 17 13:00 #axkit.conf# It gets the default permissions of my user. This seems to have security implications to me. The contents of this file is now easily accessible to any local user. I guess it would be OK to make the file read and writeable only to the local user by default. This user has allready legitimately accessed the file, so that should be OK. I'm submitting this only as severity normal, as I'm not confident it is a bug, it could be that I have a flawed understanding. If it is a bug it would be the first time I find a security problem! :-) What do others think? Kjetil -- System Information: Debian Release: 3.1 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.8-2005-01-27.roo.1 Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages tramp depends on: ii emacs21 [emacsen] 21.3+1-8 The GNU Emacs editor -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
