125007 – insecure permissions for squid.conf

Bug 125007 - insecure permissions for squid.conf

Summary: insecure permissions for squid.conf

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	squid
Sub Component:
Version:	3.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jay Fenlason
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-06-02 00:31 UTC by Jason Gallagher
Modified:	2014-08-31 23:26 UTC (History)
CC List:	1 user (show)
Fixed In Version:	RHSA-2005-489
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2005-06-13 12:08:41 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2005:415	0	normal	SHIPPED_LIVE	Low: squid security update	2005-06-14 04:00:00 UTC
Red Hat Product Errata	RHSA-2005:489	0	normal	SHIPPED_LIVE	Low: squid security update	2005-06-13 04:00:00 UTC

Description Jason Gallagher 2004-06-02 00:31:02 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4.2)
Gecko/20040301

Description of problem:
/etc/squid/squid.conf may contain a plaintext password in the
cachemgr_passwd directive. Users with access may be able to see the
list of cached objects and shutdown the cache itself. A message on the
mailing list suggests non-world-readable permissions for this file
(http://www.squid-cache.org/mail-archive/squid-users/200201/0539.html).
I suggest using ownership root:squid and permissions 0640. A fix to
the SPEC file might be:

130c130
< %config(noreplace) /etc/squid/squid.conf
---
> %config(noreplace) %attr(640,root,squid) /etc/squid/squid.conf


Version-Release number of selected component (if applicable):
squid-2.5.STABLE3-5.3E

How reproducible:
Always

Steps to Reproduce:
1. install
2. examine permissions of /etc/squid/squid.conf

    

Actual Results:  File readable by all users.

Expected Results:  Should be readable only by root and user 'squid'.

Additional info:

Comment 1 Josh Bressers 2005-06-02 17:40:17 UTC

This issue also affects RHEL2.1

Comment 2 Josh Bressers 2005-06-13 12:08:41 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2005-489.html

Note You need to log in before you can comment on or make changes to this bug.