Merge lp://qastaging/~lfaraone/pithos/password-permissions-fix into lp://qastaging/~kevin-mehall/pithos/trunk
| Status: | Merged |
|---|---|
| Merged at revision: | 157 |
| Proposed branch: | lp://qastaging/~lfaraone/pithos/password-permissions-fix |
| Merge into: | lp://qastaging/~kevin-mehall/pithos/trunk |
| Diff against target: |
104 lines (+62/-3) 2 files modified
bin/pithos (+3/-0) pithos/PreferencesPithosDialog.py (+59/-3) |
| To merge this branch: | bzr merge lp://qastaging/~lfaraone/pithos/password-permissions-fix |
| Related bugs: |
| Reviewer | Review Type | Date Requested | Status |
|---|---|---|---|
| Kevin Mehall | Pending | ||
|
Review via email:
|
|||
Commit message
CVE-2011-1500: Fix password leak to local users through file permissions. (LP: #733307)
On start, check file permissions according to new rules as follows:
If the file is 0644 and if "unsafe_
chmod 0600
If the file is world-readable and/or writable (but not exactly 0644) and if
"unsafe_
chmod o-rw
To override this new behavior, set unsafe_permissions to False in pithos.ini.
On new configuration file creation, set to 0600.
Description of the change
Fixes bad permissions on the config file.
To test, verify that:
* On new systems it creates a file with 0600 permissions
* On upgraded systems it changes files with 0644 permissions to 0600
* On systems where the file had 0640 / 0660 permissions, nothing is changed.
* After running once, an unsafe_permissions key is created.
* Setting unsafe_permissions to True causes the above rules to be ignored.
