From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.org!not-for-mail From: Daniel Kahn Gillmor Newsgroups: gmane.emacs.devel Subject: Re: [dkg@fifthhorseman.net: security: url-cookies file stored world-readable, allowing session hijacking] Date: Mon, 10 Dec 2007 01:19:16 -0500 Message-ID: <87ve776pi3.fsf@squeak.fifthhorseman.net> References: <08bq90odfi.fsf@fencepost.gnu.org> NNTP-Posting-Host: lo.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1466674624==" X-Trace: ger.gmane.org 1197303953 13803 80.91.229.12 (10 Dec 2007 16:25:53 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Mon, 10 Dec 2007 16:25:53 +0000 (UTC) Cc: rms@gnu.org, dkg@fifthhorseman.net, emacs-devel@gnu.org To: Glenn Morris Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Mon Dec 10 17:26:03 2007 Return-path: Envelope-to: ged-emacs-devel@m.gmane.org Original-Received: from lists.gnu.org ([199.232.76.165]) by lo.gmane.org with esmtp (Exim 4.50) id 1J1lS4-0000tY-Tt for ged-emacs-devel@m.gmane.org; Mon, 10 Dec 2007 17:25:54 +0100 Original-Received: from localhost ([127.0.0.1] helo=lists.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1J1lQD-0005I8-F2 for ged-emacs-devel@m.gmane.org; Mon, 10 Dec 2007 11:23:57 -0500 Original-Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1J1bzH-0002IT-Gi for emacs-devel@gnu.org; Mon, 10 Dec 2007 01:19:31 -0500 Original-Received: from exim by lists.gnu.org with spam-scanned (Exim 4.43) id 1J1bzF-0002IH-Nu for emacs-devel@gnu.org; Mon, 10 Dec 2007 01:19:30 -0500 Original-Received: from [199.232.76.173] (helo=monty-python.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1J1bzF-0002IE-JC for emacs-devel@gnu.org; Mon, 10 Dec 2007 01:19:29 -0500 Original-Received: from relay01.pair.com ([209.68.5.15]) by monty-python.gnu.org with smtp (Exim 4.60) (envelope-from ) id 1J1bzF-0000cX-06 for emacs-devel@gnu.org; Mon, 10 Dec 2007 01:19:29 -0500 Original-Received: (qmail 98987 invoked from network); 10 Dec 2007 06:19:27 -0000 Original-Received: from unknown (HELO fifthhorseman.net) (unknown) by unknown with SMTP; 10 Dec 2007 06:19:27 -0000 X-pair-Authenticated: 216.254.116.241 Original-Received: (nullmailer pid 4193 invoked by uid 1000); Mon, 10 Dec 2007 06:19:26 -0000 In-Reply-To: <08bq90odfi.fsf@fencepost.gnu.org> (Glenn Morris's message of "Sat\, 08 Dec 2007 20\:38\:09 -0500") User-Agent: Gnus/5.11 (Gnus v5.11) Emacs/22.1 (gnu/linux) X-detected-kernel: by monty-python.gnu.org: Genre and OS details not recognized. X-Mailman-Approved-At: Mon, 10 Dec 2007 11:22:18 -0500 X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Original-Sender: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane.org@gnu.org Xref: news.gmane.org gmane.emacs.devel:84961 Archived-At: --===============1466674624== Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha1; protocol="application/pgp-signature" --=-=-= On Sat 2007-12-08 20:38:09 -0500, Glenn Morris wrote: > dkg wrote: > >> I just noticed that ~/.url/cookies was world-readable, and its parent >> directory was world-readable, exposing the cookies emacs held to the >> outside world, which allows for a session hijacking attack. > > I can fix this. Should ~/.url be private, or just certain files within > it (cookies, history, what else)? i would suspect that history should also be private -- URLs visited often hold information that you might not want others to see. i'm not sure what else gets placed in that directory, so i don't know if the directory itself should be mode 0700 or not. Thanks for the followup, --dkg --=-=-= Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iQIVAwUBR1zabMzS7ZTSFznpAQIj8g//fs+leGGj/b7m6lbmUcSGiSwvO0lJT3bN 656n6C7+KXSNPqIiGchSn0htSQW1soV9sdwSm9Ybc9cfe9MCyHdjuxa91O41DWtR yNdhMzHb3vvY9wsPWoVxW1Dl3ttmvxUtlPubMWV7iy62J3gRJ+KTGVIfKBqoO4MK Vz6N4jnMeQu1SodgxUsd2XI7kZPYBPD3CRrYBBpswe2IxKji8QIZMbMX7Do8md7b hWjG62b2kz8fRBoORlm17vTLrbtMInl9qoYT6wkxYkxnYNL2KaD+kUjAztTuaFD4 SQb6ygfwzUyRgAnmeNyzx+iOr7193v7Pr++uxwn/WdHFqVNqK6aLFhJDyi91gANn G+q32znHL+amo91VmmF+iojS2ANMRtcopLdXfPvS/0CGVangppVKbutOKLZBTABS nRzeCVBFDtnHsYuNbTEtCdTEHNHqJ5km3OHMwY9AoHKrWYsQtCaf0vxiIAfGcZ5S +bf+XT72Qvi05UpMFSJ4yKggjIU/w4x6H1TtNRx4Z/cG02ovLqS/TWHqK2W2gjmg Zz9lDYFfbp9K99ml0OCLlc+lKaVyhN1HCzOzCPLrGgLPP5JOaCjGurNdAuWBPwJg 9Z8/aHYlbH6Uoi42OKI2WsJcbMnHcKVYwEcE9ZuVe3wXqAt0VZi/OTt2yTXCjEZH FxXIqsGSvNI= =e2vw -----END PGP SIGNATURE----- --=-=-=-- --===============1466674624== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline _______________________________________________ Emacs-devel mailing list Emacs-devel@gnu.org http://lists.gnu.org/mailman/listinfo/emacs-devel --===============1466674624==--