-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 * Marcus Frings <[EMAIL PROTECTED]> [021207 00:52]: > Hello, > > I just migrated from leafnode to inn + suck on my Debian Woody box. > After installing suck I think I have discovered a possible security > violation. /etc/suck/get-news.conf is installed as root:root with > default file permissions 644. This means that $WORLD can read passwords > from this file which are stored there to get access to the upstream > newsserver. right.
> IIRC /usr/sbin/get-news has to be run as user "news" and not as "root" > thus the script won't work if I change the permissions of get-news.conf > to 600 or 640. Or am I completely wrong and get-news should be started > as "root"? Anyway, 644 as default for files which store passwords is > pretty weird in my opinion. > Any comments concerning this are very welcome. I would agree giving anyone else the posibility of reading the passwords of your upstream-newsserver wont be a good idea :) That should be definetifly fixed. reguards Martin - -- |------------------------------------------------------------ | Martin Helas [EMAIL PROTECTED] | PGP: 1474 4CAC EF5C ECFA E29E 2CB1 7929 AB90 F7AC 3AF0 |------------------------------------------------------------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE98TwjeSmrkPesOvARAgGhAJ0bvEparbObee04w9QwtfRs/iYjhgCgkEhN 0txLkmMazOOLcbYVOJIE7/E= =8kgV -----END PGP SIGNATURE-----
