67092 – The default file permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--), exposing firewall rules.

Bug 67092 - The default file permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--), exposing firewall rules.

Summary: The default file permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--)...

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Linux
Classification:	Retired
Component:	firewall-config
Sub Component:
Version:	7.1
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Harald Hoyer
QA Contact:	Ben Levenson
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2002-06-19 21:55 UTC by gary
Modified:	2007-03-27 03:54 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2003-03-10 15:04:26 UTC
Embargoed:

Attachments	(Terms of Use)

Description gary 2002-06-19 21:55:32 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc2) Gecko/20020513
Netscape/7.0b1

Description of problem:
After installing the firewall-config-0.95-2 package, the default file
permissions for /etc/sysconfig/firewall are 644 (-rw-r--r--).  After creating
rules using the firewall-config tool (and clicking the OK button), it saves
information about these rules in /etc/sysconfig/firewall and still does not
change the permissions.  With 644 (-rw-r--r--) permissions, any user can read
the firewall rules.  I beleive the permissions should be 600 (-rw-------).

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1.After installing the firewall-config package, start firewall-config as root.
2.Create some rules and click the OK button.
3.Type "ls -l /etc/sysconfig/firewall" to see the permissions.  Alternatively,
you could become a regular, non-root user and type "cat /etc/sysconfig/firewall"
to see the firewall rules.
	

Actual Results:  The permissions on /etc/sysconfig/firewall were -rw-r--r--.

Expected Results:  The permissions on /etc/sysconfig/firewall should be -rw-------.

Additional info:
An obvious work around is "chmod 600 /etc/sysconfig/firewall"

Comment 1 Harald Hoyer 2002-06-20 08:51:39 UTC

I did not consider that as a security risk. Besides that, a real firewall should
not have ordinary user access.. And for those, who care, just chmod 600..

Comment 2 gary 2002-06-20 18:14:19 UTC

My organization has a dedicated firewall that protects systems on our internal
network from systems on external networks.  However, I thought it was a best
practice to not necessarily trust your entire internal network.  Therefore, on
my server, I decided to set up a packet-filtering firewall to provide another
layer of security.  There are ordinary users on this system and if I hadn't
noticed the 644 permissions (before I started) on the /etc/sysconfig/firewall
file, these users could have discovered the server's firewall rules.  So I am
going to have to  disagree with you about this not being a security risk.

It seems that the default permissions should be secure whether or not there are
ordinary users on the system.  If you had a system with no other users, would
you want /etc/shadow to have default permissions of 644?  The permissions of
sensitive files are just one additional layer of security that I think systems
should have regardless of whether there are ordinary users or not.

Comment 3 Alan Cox 2002-12-18 17:18:56 UTC

Dropping priority - if the firewall is only secure because people dont know what
is in it then its not clear its a good firewall)

Still wants fixing though

Comment 4 Harald Hoyer 2003-03-10 15:04:26 UTC

deprecated

Note You need to log in before you can comment on or make changes to this bug.