On Wed, 28 Aug 2002, Alvaro Herrera wrote:
> En Wed, 28 Aug 2002 17:33:34 -0400 (EDT)
>
> Thank you. Patch attached. Note that it also checks group access; I think
> that is desired as well.
+
+ /* If password file is insecure, alert the user and ignore it. */
+ if (stat_buf.st_mode & (S_IRWXG | S_IRWXO))
Should there also be a S_IFREG check to make sure no one is trying any other
tricks? I'm not sure of what an exploit would be but for the sake of paranoia
it seems a cheap test.
I take it no one wants to start checking directory tree permissions etc.
--
Nigel J. Andrews
Director
---
Logictree Systems Limited
Computer Consultants