Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 63551 - media-sound/shoutcast-server-bin: conf files with passwords are world readable
Summary: media-sound/shoutcast-server-bin: conf files with passwords are world readable
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor
Assignee: Gentoo Security
URL:
Whiteboard: B4 [ebuild+] lewk
Keywords:
Depends on:
Blocks:
 
Reported: 2004-09-10 07:25 UTC by Mugurel Tudor
Modified: 2011-10-30 22:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mugurel Tudor 2004-09-10 07:25:16 UTC 
This is applying for:

media-sound/shoutcast-server-bin
media-sound/shoutcast-trans-bin

Their configuration files (sc_serv.conf  and sc_trans.conf) by default are installed world readable. If I, as root, se the password for the server, any user with an account on my computer can see the password for the Shoutcast server. This is not OK.

By default, the configuration files, which may contain plain text passwords should be installed with read permissions only for root. This should not break anything, for the default setup.


Reproducible: Always
Steps to Reproduce:
1. Emerge either media-sound/shoutcast-server-bin, or media-sound/shoutcast-trans-bin
2. Check the permissions on /etc/shoutcast/sc_serv.conf and /etc/shoutcast/sc_trans.conf
3.

Actual Results:  
The permissions on those files are world readable, and those configuration files
will contain plain text passwords for the administration of the shoutcast server.

Expected Results:  
The configuration files should be installed with "read" attribute only for root.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-09-11 02:53:21 UTC 
Chris, plz fix
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 05:53:51 UTC 
Anyone in sound herd ?
Comment 3 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-16 09:00:38 UTC 
Chris is away.  I'll take care of it...
Comment 4 Jeremy Huddleston (RETIRED) gentoo-dev 2004-09-16 09:19:07 UTC 
Safe versions:
media-sound/shoutcast-server-bin-1.9.4-r1
media-sound/shoutcast-trans-bin-0.4.0-r1
Comment 5 Luke Macken (RETIRED) gentoo-dev 2004-09-17 05:28:01 UTC 
Thanks eradicator for resolving this issue.

Closing without GLSA.