On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote:

> dkg wrote:
>
>> I just noticed that ~/.url/cookies was world-readable, and its parent
>> directory was world-readable, exposing the cookies emacs held to the
>> outside world, which allows for a session hijacking attack.
>
> I can fix this. Should ~/.url be private, or just certain files within
> it (cookies, history, what else)?

i would suspect that history should also be private -- URLs visited
often hold information that you might not want others to see.  i'm not
sure what else gets placed in that directory, so i don't know if the
directory itself should be mode 0700 or not.

Thanks for the followup,

       --dkg