tags 308897 + pending
thanks
* Paul Brossier ([EMAIL PROTECTED]) disait :
> please correct me if this is over inflated severity. justification:
> introduces a security hole on systems where you install the packages
>
> in its default configuration, backup-manager stores a .tar.gz of /etc in
> /var/backups. this file is world readable, so that any local user is
> able to read /etc/shadow, /etc/ppp/chap-scripts and other interesting
> bits from it.
You're absolutely right.
This bug is closed in the upcoming new upstream version 0.5.8
I'll ask my sponsor to upload the new package as soon as the upstream
release is ready.
> a solution to this problem is to have backup-manager create files with
> perms 0700.
I chose the solution to add two new configuration keys: BM_USER and BM_GROUP.
The archives repository will be chowned to $BM_USER:$BM_GROUP and will be
chmoded 660
--
Alexis Sukrieh <[EMAIL PROTECTED]>
http://www.sukria.net
« Quidquid latine dictum sit, altum sonatur. »
Whatever is said in Latin sounds profound.
