From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/20020513 Netscape/7.0b1 Description of problem: After installing the firewall-config-0.95-2 package, the default file permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--). After creating rules using the firewall-config tool (and clicking the OK button), it saves information about these rules in /etc/sysconfig/firewall and still does not change the permissions. With 644 (-rw-r--r--) permissions, any user can read the firewall rules. I beleive the permissions should be 600 (-rw-------). Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.After installing the firewall-config package, start firewall-config as root. 2.Create some rules and click the OK button. 3.Type "ls -l /etc/sysconfig/firewall" to see the permissions. Alternatively, you could become a regular, non-root user and type "cat /etc/sysconfig/firewall" to see the firewall rules. Actual Results: The permissions on /etc/sysconfig/firewall were -rw-r--r--. Expected Results: The permissions on /etc/sysconfig/firewall should be -rw-------. Additional info: An obvious work around is "chmod 600 /etc/sysconfig/firewall"
I did not consider that as a security risk. Besides that, a real firewall should not have ordinary user access.. And for those, who care, just chmod 600..
My organization has a dedicated firewall that protects systems on our internal network from systems on external networks. However, I thought it was a best practice to not necessarily trust your entire internal network. Therefore, on my server, I decided to set up a packet-filtering firewall to provide another layer of security. There are ordinary users on this system and if I hadn't noticed the 644 permissions (before I started) on the /etc/sysconfig/firewall file, these users could have discovered the server's firewall rules. So I am going to have to disagree with you about this not being a security risk. It seems that the default permissions should be secure whether or not there are ordinary users on the system. If you had a system with no other users, would you want /etc/shadow to have default permissions of 644? The permissions of sensitive files are just one additional layer of security that I think systems should have regardless of whether there are ordinary users or not.
Dropping priority - if the firewall is only secure because people dont know what is in it then its not clear its a good firewall) Still wants fixing though
deprecated