Hylafax Mailing List Archives
|
[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
Re: [hylafax-users] Requiring hosts.hfaxd to be 0600 is bad practice
Charles Duffy wrote:
Per subject. Making the file user-readable only (and thus guaranteeing
that it needs to be owned by the fax user) means that the fax user can
also write to this file, and change its permissions (if it isn't
already owner-writable).
From the perspective of minimizing the damage which can be done by a
user who has broken into the fax account, this is a Bad Thing -- much
better if the file were owned by root and readable by fax via group
permissions. (There are lots of other cases as well where hylafax's
permissions are other than ideal from this perspective, but this is
the first one so far that's required a code patch to resolve).
Any chance of modifying or parameterizing this permission check upstream?
Feel free to file a bug report on Bugzilla and attach your suggested patch.
Thanks,
Lee.
____________________ HylaFAX(tm) Users Mailing List _______________________
To subscribe/unsubscribe, click http://lists.hylafax.org/cgi-bin/lsg2.cgi
On UNIX: mail -s unsubscribe hylafax-users-request@xxxxxxxxxxx < /dev/null
*To learn about commercial HylaFAX(tm) support, mail sales@xxxxxxxxx*