Closed Bug 179359 Opened 20 years ago Closed 20 years ago

insecure file permissions for passwords/mail files upon profile creation

Categories

(MailNews Core :: Security, defect)

x86
Linux
defect
Not set
critical

Tracking

(Not tracked)

VERIFIED DUPLICATE of bug 59557

People

(Reporter: traykovs, Assigned: security-bugs)

Details

(Whiteboard: DUPEME)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021108
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021108

Hi,
I just used the build above to recreate my profile from scratch. After examinig
the file permissions I found out that:

- the passwords file is world-readable (ok, the key to decrypt it isn't, but..)

- all my mail messages (pop & downloaded imap) were world-readable!

I am not sure what the considerations are to not clear all group/world
permissions for the whole .mozilla structure. The files above, should be
protected anyway, of course..

Reproducible: Always

Steps to Reproduce:
1. Create a profile.
2. Download some mail. Save your passwords with password manager.
3. Have some collegues with nasty ideas:-)

Actual Results:  
(as if my default umask was used: incl. subdirs)
drwxrwxr-x Mail
drwxtwxr-x ImapMail
-rw-rw-r-- 36943395.s

Expected Results:  
drwx------ Mail
drwx------ ImapMail
-rw------- 36943395.s

The workaround (just clear the permissions) is quite simple. It IS a critical
bug, though.
This has been being ignored for a long time now... :(
Whiteboard: DUPEME
Dupe of bug 59557.

*** This bug has been marked as a duplicate of 59557 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
V
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.