1. For Unix (and variants), the permissions depend on the umask of the user executing radwho.cgi (normally the web server user). Your user environment might be set to 022.
2. /tmp/xxx file should normally be error messages.
One suggestion might be to change the umask of the environment or maybe change the script to execute a umask of 027 or something more strict (077).
Regards,
Neil D. Quiogue
On Thursday, October 31, 2002, at 10:21 PM, Utku Er wrote:
� Hi,
�
� I was using RADIATOR radwho CGI�scripts for a long time. Some time ago I log into my machine�and see my database ip, port, database username and database password in the /tmp/xxx file in a world readable format... I see that radwho.cgi within the radiator package creates this file.
�
� Maybe this isn't a big security thread but maybe some people see this file and wonder what it is.
� I�create scripts in my internal machines and get session table directly from the database.
�
Utku.�
�
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
