if sysctl.conf is used to configure grsecurity, all the grsecurity capabilities listed in sysctl.conf are world readable. Normally this capabilies shouldn't be world readable in the fact that : proc/sys/kernel/grsecurity/ is not world readable. [zataz@www zataz]$cat /proc/sys/kernel/grsecurity/ cat: /proc/sys/kernel/grsecurity/: Permission denied Reproducible: Always Steps to Reproduce: 1. 2. 3. Actual Results: sysctl.conf is world readable Expected Results: sysctl.conf shouldn't be world readable
I fail to see this as a valid security problem. (No GLSA Please) I have no objections to the default sysctl.conf permissions being 640 Mode 666 would be insecure, the existing 640 at tops is an info leak.
yeah, i have no problem updating sysctl.conf to be 640 in baselayout, but beyond that ...
SpanKY retaking bug. 640 seems fine with me.
Damn bug come here:-)
why ? the 'default config' of sysctl.conf is fine this is only an issue if the user edits the file and adds their own stuff to it that happens to be considered sensitive ... but at that point, it's no longer a 'default config' :P
in comment #1 I ment 644 at tops vs 640
vapier, my broad understanding of "default configs" include file permissions. If you really want the bug take it and cc security.
the default permissions are not insecure anyways, i'll just update baselayout to install as 640 and close the bug and everyone can be happy
fixed in portage
