Closed Bug 179359 Opened 23 years ago Closed 23 years ago

insecure file permissions for passwords/mail files upon profile creation

Categories

(MailNews Core :: Security, defect)

Product:
MailNews Core
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 59557

People

(Reporter: traykovs, Assigned: security-bugs)

Details

(Whiteboard: DUPEME)

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021108 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2b) Gecko/20021108 Hi, I just used the build above to recreate my profile from scratch. After examinig the file permissions I found out that: - the passwords file is world-readable (ok, the key to decrypt it isn't, but..) - all my mail messages (pop & downloaded imap) were world-readable! I am not sure what the considerations are to not clear all group/world permissions for the whole .mozilla structure. The files above, should be protected anyway, of course.. Reproducible: Always Steps to Reproduce: 1. Create a profile. 2. Download some mail. Save your passwords with password manager. 3. Have some collegues with nasty ideas:-) Actual Results: (as if my default umask was used: incl. subdirs) drwxrwxr-x Mail drwxtwxr-x ImapMail -rw-rw-r-- 36943395.s Expected Results: drwx------ Mail drwx------ ImapMail -rw------- 36943395.s The workaround (just clear the permissions) is quite simple. It IS a critical bug, though.
This has been being ignored for a long time now... :(
Whiteboard: DUPEME
Dupe of bug 59557. *** This bug has been marked as a duplicate of 59557 ***
Status: UNCONFIRMED → RESOLVED
Closed: 23 years ago
Resolution: --- → DUPLICATE
V
Status: RESOLVED → VERIFIED
Product: MailNews → Core
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.