While checking Gentoo bug: http://bugs.gentoo.org/show_bug.cgi?id=250715 I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf. Therefore, Fedora defaults does now allow reading the config file directly using cat or vim. chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges. However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity). In similar cases, where some daemon user needs read access to certain config file, root:<daemon_group> 640 is more common. Please check if changing: %config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf to %config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf makes sense for ZM.
zoneminder-1.23.3-2.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/zoneminder-1.23.3-2.fc10
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update zoneminder'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F10/FEDORA-2008-11484
zoneminder-1.23.3-2.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-6755 to the following vulnerability: Name: CVE-2008-6755 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-6755 Assigned: 20090427 Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=476529 Reference: FEDORA:FEDORA-2008-11484 Reference: URL: https://www.redhat.com/archives/fedora-package-announce/2009-January/msg00204.html ZoneMinder 1.23.3 on Fedora 10 sets the ownership of /etc/zm.conf to the apache user account, and sets the permissions to 0600, which makes it easier for remote attackers to modify this file by accessing it through a (1) PHP or (2) CGI script.