Path: utzoo!yunexus!ists!helios.physics.utoronto.ca!news-server.csri.toronto.edu!mailrus!cs.utexas.edu!uunet!crdgw1!montnaro From: montnaro@spyder.crd.ge.com (Skip Montanaro) Newsgroups: comp.unix.questions Subject: Re: How secure is UNIX? Message-ID: Date: 29 May 90 15:16:06 GMT Article-I.D.: spyder.MONTNARO.90May29111606 References: <100928@<1990May23> <9000030@m.cs.uiuc.edu> <1990May28.102235.10021@agate.berkeley.edu> <6365@amelia.nas.nasa.gov> <1990May29.022854.22733@smsc.sony.com> Sender: news@crdgw1.crd.ge.com Reply-To: montanaro@crdgw1.ge.com (Skip Montanaro) Organization: GE Corporate Research & Development, Schenectady, NY Lines: 17 In-reply-to: dce@smsc.sony.com's message of 29 May 90 02:28:54 GMT In article <1990May29.022854.22733@smsc.sony.com> dce@smsc.sony.com (David Elliott) writes: I think that the problem here, Sam, is that the .netrc file is "an attractive nuisance". Not only does the .netrc file give you a place to put a password, the documentation tells you that this feature won't be used if the file is readable by others. In essence, it is saying "it's safe to put passwords here". Shouldn't the ftp daemon on the receiving end set the file permissions pessimistically? On Suns at least, the mode on the receiving end is 666. (Ultrix appears to set the mode to 644, which for the current discussion is no better than 666.) If the modes are going to be mangled, I'd rather they were mangled to 600. The case of ~/.netrc is just one problem. As another example, mail files often contain sensitive information (like passwords :-). Having them created mode 666 can be just as damaging. -- Skip (montanaro@crdgw1.ge.com)