Package: joe Version: 2.8-12 I'm just guessing about the Debian version above. sbr wrote: > I recently started using a new editor called joe, with this editor there is > a feature that if your existing session is terminated, it creates a DEADJOE > in the directory. While editing my shadow file my connection was > terminated, thus leaving the DEADJOE in my /etc directory that was world > readable containing my entire shadow file. I think the problem is self > explanitory. I have emailed the creator and there is no feature to disable > this that I can find or mentioned in the email. My umask setting does not > seem to affect the permissions of DEADJOE. > > The operating system is Debian Linux 2.1 kernel 2.2.10 i386. > > - Spencer. How-To-Repeat: use joe to edit a file, then kill -HUP its process. I was able to reproduce this with joe 2.8 under Red Hat 6.0, with either Red Hat's -18 patches or the FreeBSD-current patches applied, so it looks like FreeBSD is probably vulnerable too. Fix: here's a patch against the pristine source, only tested on Red Hat. Confidential: no __ Trevor Johnson --- b.c.orig Fri Jan 20 00:38:25 1995 +++ b.c Sat Jul 17 01:54:09 1999 @@ -21,6 +21,7 @@ #include <pwd.h> #endif #include <errno.h> +#include <sys/types.h> #include "config.h" #include "blocks.h" @@ -1990,6 +1991,7 @@ { long tim=time(0); B *b; + mode_t mask=umask (077); /* no access to DEADJOE for others */ FILE *f=fopen("DEADJOE","a"); fprintf(f,"\n*** Modified files in JOE when it aborted on %s",ctime(&tim)); if(sig) fprintf(f,"*** JOE was aborted by signal %d\n",sig);
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:52:36 PDT