fetchmail-friends
[Top] [All Lists]

[fetchmail]Re: [fetchmail-users] fetchmail 6.2.9-rc6 available (yet another candidate...)

2005-10-21 07:12:21
On Fri, 21 Oct 2005, Thomas Wolff wrote:

Hello,

* fetchmailconf now changes the output file to mode 0600 BEFORE writing to 
it,
  so there is no window where passwords could be read by the world.
  Matthias Andree.
This doesn't sound quite right. The only safe way is to CREATE the 
file in 600 mode right away. If you just CHANGE to 600 even before writing 
to it, there IS an unsafe window.
Try the following:
touch x
tail -f x

Then in another shell:
chmod -r x
echo bla >> x

"bla" will show up in the first window, read by "tail".

Right you are, and thanks for reporting the problem.
(Thanks also to Miloslav Trmac, who also reported the problem.)

Actually, the new script also sets the umask to 077 before opening the
file, so we're doing the right thing, only the NEWS file is off track.

I have uploaded a new version of a security announcement, now at
http://fetchmail.berlios.de/fetchmail-SA-2005-02.txt and will ship it to
pertinent lists shortly.

I have also withdrawn fetchmailconf-1.43.1 and the corresponding patch
from distribution and uploaded fetchmailconf-1.43.2 for users of
fetchmail-6.2.5.2.

Please, further discussion only on 
fetchmail-devel(_at_)lists(_dot_)berlios(_dot_)de(_dot_)

Warning: reply-to is set - take care should you desire to mail me
directly - some mailers require you to manually pick "To Sender Only" or
"Ignore Reply-To."

-- 
Matthias Andree

_______________________________________________
Fetchmail-friends mailing list
Fetchmail-friends(_at_)lists(_dot_)ccil(_dot_)org
http://lists.ccil.org/cgi-bin/mailman/listinfo/fetchmail-friends

<Prev in Thread] Current Thread [Next in Thread>
  • [fetchmail]Re: [fetchmail-users] fetchmail 6.2.9-rc6 available (yet another candidate...), Matthias Andree <=