5873475 2000-12-16 10:19 +0000 /75 rader/ Weston Pawlowski <bug@WESTON.CX> Sänt av: joel@lysator.liu.se Importerad: 2000-12-19 01:22 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: bug@WESTON.CX Mottagare: Bugtraq (import) <14285> Ärende: Re: J-Pilot Permissions Vulnerability ------------------------------------------------------------ From: Weston Pawlowski <bug@WESTON.CX> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <20001216101957.3729.qmail@securityfocus.com> I attempted to contact the vendor, but got an automated error reply, so I'm not sure if it got through or not. I assumed his e-mail address was no longer valid, but I see that he posted here with it, so it apparently is. In any case, thanks for mentioning that the problem is just from the umask; that's something I forgot to include in my post. Obviously, it's always a good idea to set your umask to something a little more secure, but I've encountered lots of clueless people using Linux who wouldn't know why or even how to set the umask. On top of that, the ".jpilot" directory is commonly hidden. So, I think it's generally a good practice to override the umask in the name of security when automatically creating hidden directories and files that may contain private information. PalmOS "private" records aren't very secure to begin with, but that doesn't mean we should make them even more insecure by exposing them on the computer it syncs with. Even if you encrypt things on your PalmOS handheld, there are passwords stored in places, such as preferance data, that can't be easily encrypted. For example: ISP passwords are stored in ".jpilot/Backup/NetworkDB.pdb" -Weston > > Did you contct the vendor? I have Cc:'d him on this as you make no > mention of it in your message. > > I can verify this, and moreover it appears as if J-Pilot uses the users > umask: > > [rwm@ryan rwm]$ umask > 002 > [rwm@ryan rwm]$ ls -la .jpilot > total 36 > drwxrwxr-x 2 rwm rwm 4096 Dec 13 13:44 . > drwxr-xr-x 100 rwm rwm 8192 Dec 14 16:49 .. > - -rw-rw-r-- 1 rwm rwm 0 Dec 13 13:43 AddressDB.pc > - -rw-rw-r-- 1 rwm rwm 719 Dec 13 13:43 AddressDB.pdb > <... snip ...> > > So the vulnerabiltiy is futhermore amplified if they are group-writable > and there is a malicious user in the same group. > > Cheers, > Ryan > > +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -- > Ryan W. Maple "I dunno, I dream in Perl sometimes..." -LW > Guardian Digital, Inc. ryan@guardiandigital.com > +-- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- --- -- (5873475) ------------------------------------------