From owner-freebsd-security  Fri Apr  9  5:27:27 1999
Delivered-To: freebsd-security@freebsd.org
Received: from vtopus.cs.vt.edu (vtopus.cs.vt.edu [128.173.40.24])
	by hub.freebsd.org (Postfix) with ESMTP id 62A5C14FEB
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Apr 1999 05:27:24 -0700 (PDT)
	(envelope-from dhagan@vtopus.cs.vt.edu)
Received: (from dhagan@localhost)
	by vtopus.cs.vt.edu (8.9.1a/8.9.1) id IAA18415;
	Fri, 9 Apr 1999 08:24:41 -0400 (EDT)
Date: Fri, 9 Apr 1999 08:24:40 -0400 (EDT)
From: Daniel Hagan <dhagan@cs.vt.edu>
To: Robert Watson <robert+freebsd@cyrus.watson.org>
Cc: Matthew Dillon <dillon@apollo.backplane.com>,
	Foxfair Hu <foxfair@news.ks.edu.tw>, freebsd-security@FreeBSD.ORG
Subject: Re: Fw: Netscape 4.5 vulnerability
In-Reply-To: <Pine.BSF.3.96.990408222051.17455A-100000@fledge.watson.org>
Message-ID: <Pine.OSF.4.02.9904090822170.21965-100000@vtopus.cs.vt.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Thu, 8 Apr 1999, Robert Watson wrote:

> >     The 'security hole' is that netscape doesn't make the .netscape
> >     directory 700.  I'd report it to netscape.  I dunno whether they
> >     will do anything about it, though.
> 
> Huh.  Didn't do that for me; mine is safely readable and writable only for
> my uid.  

What's your umask?  If you use umask 077, then this is what I would
expect, but "typical" users who don't change it from 022 would probably
end up with a 755 .netscape directory.  Netscape should be smart enough to
at least set the profile file to 600, if not the entire directory to 700.

Daniel
 
-- 
Daniel Hagan 
Computer Systems Engineer
dhagan@cs.vt.edu



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message