On Sun, 13 Aug 2006 16:34:57 +0200 maximilian attems wrote: > On Sun, Aug 13, 2006 at 12:13:13PM +0200, Jonas Smedegaard wrote: > > On Sun, 13 Aug 2006 11:26:02 +0200 maximilian attems wrote: > <snipp> > > > please specify the info: > > > i'm not 100% familiar with yaird code, so i'd be happy to know > > > which only root readable part might get exposed? > > > > I don't know which files the local admin chooses to hide from its > > local users. > > well that is easily done by setting /boot 0700 > or even tighter with selinux permissions. > > > Backup routines ought to make sure to use equal or tighter access > > rights than the originals copied. Same goes for ramdisk builders, > > IMHO. > > well targetting Debian default, this is handwaving until a special > file is named. in the case of loop-aes i understand that the gpg key > is a problem, but in general you didn't provide a backup for a leak > claim: > > a) /lib/modules is readable by anybody > b) same goes with /boot/config that yaird uses > c) /proc/cmdline, /proc/mount gives lots of info > > so please be specific about the leakage. > it is certainly against Debian standard permission setup. > i may declare it needlessly paranoid. > > > > > hmm indeed netboot should be supported out of the box, > > > that is an counterarg. > > > > Copying info as root and then exposing it to the whole (local) > > network is certainly the special case, not a counter argument of > > maintaining security in general! > > which security? - again handwaving, please pinpoint an actual case > in a Debian default setup.
Dear Max, I did not file this bugreport. I agree with the worried bugreporter, but am not in the mood for fighting, so if you cannot use my attempts at helping you to a deeper understanding of *why* we are worried, then so be it. If you believe yaird does things in a wrong way, then please discuss it through bugreports against that package. - Jonas -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ - Enden er nær: http://www.shibumi.org/eoti.htm
pgpIeprq1v1oo.pgp
Description: PGP signature
