From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Glenn Morris Newsgroups: gmane.emacs.devel Subject: Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Date: Sat, 08 Dec 2007 20:38:09 -0500 Message-ID: <08bq90odfi.fsf@fencepost.gnu.org> References: NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Trace: ger.gmane.org 1197164307 20743 80.91.229.12 (9 Dec 2007 01:38:27 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 9 Dec 2007 01:38:27 +0000 (UTC) Cc: rms@gnu.org, emacs-devel@gnu.org To: dkg@fifthhorseman.net Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Sun Dec 09 02:38:37 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1J1B7p-0004fI-W7 for ged-emacs-devel@m.gmane.org; Sun, 09 Dec 2007 02:38:34 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1J1B7Y-0004cp-HF for ged-emacs-devel@m.gmane.org; Sat, 08 Dec 2007 20:38:16 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1J1B7V-0004cd-3t for emacs-devel@gnu.org; Sat, 08 Dec 2007 20:38:13 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1J1B7T-0004cB-MK for emacs-devel@gnu.org; Sat, 08 Dec 2007 20:38:12 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1J1B7T-0004c7-IX for emacs-devel@gnu.org; Sat, 08 Dec 2007 20:38:11 -0500 Original-Received: from fencepost.gnu.org ([140.186.70.10]) by monty-python.gnu.org with esmtp (Exim 4.60) (envelope-from ) id 1J1B7T-0006bA-AF for emacs-devel@gnu.org; Sat, 08 Dec 2007 20:38:11 -0500 Original-Received: from rgm by fencepost.gnu.org with local (Exim 4.60) (envelope-from ) id 1J1B7R-00020x-6T; Sat, 08 Dec 2007 20:38:09 -0500 X-Spook: Khaddafi blackjack MD4 emc BLU-114/B high security secure X-Ran: P/OnY@oF.9/YSf;dw6.O/q";[,*b1S}7-@Q#_^/qLTb5a?"W$Ig6B*n;xq'PoHE~v}t'*g X-Hue: cyan X-Attribution: GM In-Reply-To: (Richard Stallman's message of "Mon, 03 Dec 2007 13:43:23 -0500") User-Agent: Gnus (www.gnus.org), GNU Emacs (www.gnu.org/software/emacs/) X-detected-kernel: by monty-python.gnu.org: Linux 2.6, seldom 2.4 (older, 4) X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:84901 Archived-At: > I just noticed that ~/.url/cookies was world-readable, and its parent > directory was world-readable, exposing the cookies emacs held to the > outside world, which allows for a session hijacking attack. I can fix this. Should ~/.url be private, or just certain files within it (cookies, history, what else)?