Menu
▾
▴
Re: [fetchmail-users] fetchmail 6.2.9-rc6 available (yet another candidate...)
|
From: Matthias A. <mat...@gm...> - 2005-10-21 16:10:13
|
On Fri, 21 Oct 2005, Thomas Wolff wrote: > Hello, > > > * fetchmailconf now changes the output file to mode 0600 BEFORE writing to it, > > so there is no window where passwords could be read by the world. > > Matthias Andree. > This doesn't sound quite right. The only safe way is to CREATE the > file in 600 mode right away. If you just CHANGE to 600 even before writing > to it, there IS an unsafe window. > Try the following: > touch x > tail -f x > > Then in another shell: > chmod -r x > echo bla >> x > > "bla" will show up in the first window, read by "tail". Right you are, and thanks for reporting the problem. (Thanks also to Miloslav Trmac, who also reported the problem.) Actually, the new script also sets the umask to 077 before opening the file, so we're doing the right thing, only the NEWS file is off track. I have uploaded a new version of a security announcement, now at http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt and will ship it to pertinent lists shortly. I have also withdrawn fetchmailconf-1.43.1 and the corresponding patch from distribution and uploaded fetchmailconf-1.43.2 for users of fetchmail-6.2.5.2. Please, further discussion only on fet...@li.... Warning: reply-to is set - take care should you desire to mail me directly - some mailers require you to manually pick "To Sender Only" or "Ignore Reply-To." -- Matthias Andree |
