Re: [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice

To: Charles Duffy <cduffy@xxxxxxxxxxx>
Subject: Re: [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice
From: Lee Howard <faxguy@xxxxxxxxxxxxxxxx>
Cc: hylafax-users@xxxxxxxxxxx
Date: Mon, 29 Aug 2005 08:28:33 -0700

Charles Duffy wrote:

Per subject. Making the file user-readable only (and thus guaranteeing that it needs to be owned by the fax user) means that the fax user can also write to this file, and change its permissions (if it isn't already owner-writable).

From the perspective of minimizing the damage which can be done by a user who has broken into the fax account, this is a Bad Thing -- much better if the file were owned by root and readable by fax via group permissions. (There are lots of other cases as well where hylafax's permissions are other than ideal from this perspective, but this is the first one so far that's required a code patch to resolve).

Any chance of modifying or parameterizing this permission check upstream?

Feel free to file a bug report on Bugzilla and attach your suggested patch.

Thanks,

Lee.


____________________ HylaFAX(tm) Users Mailing List _______________________
 To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
 *To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*

References:
- [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice
  - From: Charles Duffy

Prev by Date: [hylafax-users] Adding a new fax device without faxaddmodem
Next by Date: Re: [hylafax-users] Adding a new fax device without faxaddmodem
Previous by thread: [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice
Next by thread: Re: [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice
Index(es):
- Main
- Thread

Project hosted by iFAX Solutions