From owner-freebsd-security  Fri Apr  9 15:11:30 1999
Delivered-To: freebsd-security@freebsd.org
Received: from phoenix.unacom.com (unacom.com [206.113.48.2])
	by hub.freebsd.org (Postfix) with SMTP id 8072D15F22
	for <freebsd-security@FreeBSD.ORG>; Fri,  9 Apr 1999 15:06:35 -0700 (PDT)
	(envelope-from geniusj@phoenix.unacom.com)
Received: (qmail 74474 invoked by uid 1000); 9 Apr 1999 14:57:37 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
  by localhost with SMTP; 9 Apr 1999 14:57:37 -0000
Date: Fri, 9 Apr 1999 10:57:37 -0400 (EDT)
From: The Tech-Admin Dude <geniusj@phoenix.unacom.com>
To: Wes Peters <wes@softweyr.com>
Cc: Daniel Hagan <dhagan@cs.vt.edu>,
	Robert Watson <robert+freebsd@cyrus.watson.org>,
	Matthew Dillon <dillon@apollo.backplane.com>,
	Foxfair Hu <foxfair@news.ks.edu.tw>, freebsd-security@FreeBSD.ORG
Subject: Re: Fw: Netscape 4.5 vulnerability
In-Reply-To: <370E0336.83577BA7@softweyr.com>
Message-ID: <Pine.BSF.4.10.9904091056550.74387-100000@phoenix.unacom.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org



On Fri, 9 Apr 1999, Wes Peters wrote:

> Daniel Hagan wrote:
> > 
> > On Thu, 8 Apr 1999, Robert Watson wrote:
> > 
> > > >     The 'security hole' is that netscape doesn't make the .netscape
> > > >     directory 700.  I'd report it to netscape.  I dunno whether they
> > > >     will do anything about it, though.
> > >
> > > Huh.  Didn't do that for me; mine is safely readable and writable only for
> > > my uid.
> > 
> > What's your umask?  If you use umask 077, then this is what I would
> > expect, but "typical" users who don't change it from 022 would probably
> > end up with a 755 .netscape directory.  Netscape should be smart enough to
> > at least set the profile file to 600, if not the entire directory to 700.
> 
> My umask is 022 and my .netscape directory is 700.  I didn't change it,
> so Netscape must have created it that way.  This is Communicator 4.5
> (linux version; it's more reliable than the FreeBSD binary) on 3.1.
> 
> -- 
>        "Where am I, and what am I doing in this handbasket?"
> 
> Wes Peters                                                 Softweyr LLC
> http://www.softweyr.com/~softweyr                      wes@softweyr.com
> 
> 
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
> 
I'm using the FreeBSD binary and it is only readable to my UID also, and I
have not changed a thing.. One is not more reliable than the other, its
the same code folks..



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message