[12622] in bugtraq
default permissions for tin
daemon@ATHENA.MIT.EDU (Brian)
Wed Nov 17 13:41:28 1999
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="RnlQjJ0d97Da+TV1"
Message-Id: <19991117095845.A32397@ruff.cs.jmu.edu>
Date: Wed, 17 Nov 1999 09:58:45 -0500
Reply-To: Brian <cazz@RUFF.CS.JMU.EDU>
From: Brian <cazz@RUFF.CS.JMU.EDU>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
--RnlQjJ0d97Da+TV1
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
the default permissions for the tin (v 1.4.0) configuration directory allows
users to read passwords
[cazz@ruff:~]$ ls -la |grep .tin
drwxr-xr-x 7 cazz cazz 1024 Nov 17 09:03 .tin
[cazz@ruff:~/.tin]$ ls -la .inputhistory=20
-rw-rw-r-- 1 cazz cazz 8192 Nov 17 09:21 .inputhistory
if a user is using an authenticated news server, tin saves all
keystrokes typed into tin in the file ~/.tin/.inputhistory
simple solution,=20
rm -f ~/.tin/.inputhistory
touch ~/.tin/.inputhistory
chmod 000 ~/.tin/.inputhistory
-cazz
--RnlQjJ0d97Da+TV1
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE4MsKlac/1Eph0QDwRARwCAKCCNw4qz3AuHhd3l0zG8Ltdb3pjLwCcDpHx
eOyO8FOIlwOZITXbHUql05w=
=a8NO
-----END PGP SIGNATURE-----
--RnlQjJ0d97Da+TV1--
