Bernard Johnson wrote: > Paul J Stevens wrote: >> Seems like a bug. I'm removing the umask call. > > I would think you want the logs written as 0600 since they may have > sensitive data from the logs. > >> Bernard Johnson wrote: >>> (dbmail 2.2.2) >>> >>> In server.c, line 450 you set the umask to 0. This allows the log files >>> to be r/w by anyone. Was that intended?
At the right debugging level / configuration settings, this leaves the log files open to be read by anyone, potentially exposing passwords. Wouldn't it be safer to set the umask to 0077? Or, at least ad some docs somewhere that the server will write logs with whatever umask that it is started with, so people know to set that first if they are concerned about the security of their accounts. _______________________________________________ Dbmail-dev mailing list Dbmail-dev@dbmail.org http://twister.fastxs.net/mailman/listinfo/dbmail-dev
