[prev in list] [next in list] [prev in thread] [next in thread]
List: suse-security
Subject: Re: [opensuse-security] AA profiles world readable!?
From: "Carlos E. R." <carlos.e.r () opensuse ! org>
Date: 2014-08-30 15:07:11
Message-ID: 5401E89F.6000902 () opensuse ! org
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 2014-08-30 16:53, pinguin74 wrote:
> Am 29.08.2014 16:50, schrieb Carlos E. R.:
> Well, I think one thing you can learn from attacks is, that
> attackers always abuse things you never expected they could be
> abused at all... Thus, disable, delete, remove everything not
> necessarily needed...
They can easily read the profiles from internet, or their own
installation. They are published.
> Maybe an attacker could read the profiles and then attack another
> app that seems to him to be secured in a less strict way? I īd like
> to avoid that by setting profiles to 640 or 600.
It is your system :-)
But the attacker can simply probe applications till it/he finds one
that gives him access. It is slower than reading the profiles
directly, but no big issue to them, if they are interested.
- --
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 "Bottle" at Telcontar)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iEYEARECAAYFAlQB6J0ACgkQtTMYHG2NR9XWQgCffjVF49DG/M5SccJ+2CfUGGr0
UyAAnjGBk8aU9ftmjCR63b4oXxfnoapw
=UsAO
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org
To contact the owner, e-mail: opensuse-security+owner@opensuse.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic