Summary: | =net-wireless/wpa_supplicant has world readable default configuration file | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Kobboi <gentoo> |
Component: | Default Configs | Assignee: | Gentoo Security <security> |
Status: | RESOLVED OBSOLETE | ||
Severity: | major | CC: | alexxy, gurligebis, jacobgodserv |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [noglsa] | ||
Package list: | Runtime testing required: | --- |
Description
Kobboi
2009-03-27 20:53:33 UTC
wpa_supplicant is running as root, so only root needs to read that file. i can reproduce this on 0.6.8 (which is not yet in the tree :-) same for net-wireless/wpa_supplicant-0.7.2-r3 this file contains keys and passwords. Needs fixing. Checking the ebuild something similar to this? + # fix rights in etc/asterisk before installing to /etc/asterisk + cd "${D}"; + for confile in etc/asterisk/*.*; do + fowners asterisk:asterisk $confile; + fperms 0660 $confile; + done; Passwords are no longer stored in this file so this issue has been mitigated. The conf file is now used as a dbus configuration. Closing as noglsa due to age. |