[Secure-testing-team] Bug#775479: phabricator: insecure configuration permissions
Apollon Oikonomopoulos
apoikos at debian.org
Fri Jan 16 08:38:05 UTC 2015
Source: phabricator
Version: 0~git20141101-1
Severity: grave
Tags: security
Justification: user security hole
Dear Maintainer,
The local configuration created by the phabricator package under
/usr/share/phabricator/conf/local is globally readable and contains
sensitive information like phabricator's database credentials. Access to
it should be restricted to only the necessary users (www-data and
phabricator in our case). See also #775478 regarding the configuration
location.
Regards,
Apollon
-- System Information:
Debian Release: 8.0
APT prefers testing
APT policy: (500, 'testing'), (90, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=el_GR.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
More information about the Secure-testing-team
mailing list