On Wed, 21 Jan 2009, Matt Sergeant wrote:
Should we "fix" qpsmtpd config loading to check for file permissions as described in: http://use.perl.org/~Alias/journal/38319 ?
I think that would be misdirected effort. Checking the permission of the file is a wasted system call every time the permissions are what they should be, and wasted effort if permissions/ownership are incorrect on any of the enclosing directories.
I think that CWE/SANS is correct in saying that during architecture and design one should "when using a critical resource such as a configuration file, check to see if the resource has insecure permissions", but them immediately wrong when they say "and generate an error or even exit the software if there is a possibility that the resource could have been modified by an unauthorized party" - which obviously can only be done at run time, not at design time.
I would depend on good design and good system administration to ensure that attackers cannot modify configuration files, and consider it impractical to include a myriad of (almost always redundant) runtime checks.
