|
From: | Timothy J. Hamilton |
Subject: | Re: [Pan-users] Re: Connections [Is it hiding a security hole?] |
Date: | Sat, 16 Aug 2008 18:33:32 -0400 |
I tried editing servers.xml as root. No help. I changed permissions and ownership. Setting owner as forbidden to write & setting ownership of the file to root. On startup both times, Pan acted as if it were a new install. Entries in the edited servers.xml were removed. It would seem that somewhere Pan is not respecting *nix file ownership settings and permissions at least when it comes to servers.xml. That would suggest a security hole, even if a small one. It is my end-user non-programmer understanding that the foundation of *nix security was strict enforcement of file permissions and ownerships. If Pan starts as a user-process it should not be able to manipulate/delete/change files owned by root unless the user-process is run with special privilege(s) using sudo, kdesu, or similar. It would seem that all that would be necessary to wreak some mayhem would be creation of a symbolic link to files containing passwords, even if those files are encrypted. Even if the only thing done was the deletion of those files containing the system's passwords. I would very much appreciate confirmation or disproof of the above. On Saturday August 16 2008 16:49:11 Daryl Styrk wrote: > At first the same happened to me. Then I edited the file as root and > worked fine. I had a max allowed connections of 5 from altopia, and > after adding an additional connection I picked up nearly 1000kb/s. > > Greg Lee wrote: > > On Sat, 16 Aug 2008 13:19:33 -0400, Timothy J. Hamilton wrote: > >> After exiting Pan, when I check the server connections in "edit news > >> servers", Pan shows a maximum of 4 connections. Further, when I reopen > >> servers.xml after closing Pan, the connection limit in servers.xml is > >> reset to 4. > > > > That used to happen to me, too. I'd set it to 8, then Pan would just > > set it back to 4. In fact, I complained about it here, then when > > someone questioned whether Pan would really do that, I re-checked > > my working Pan to see. This time, after I set the number of > > connections up to 8, it stayed at 8. Rather embarassing. > > > > I don't know what's going on there. As a wild guess, the > > server is giving Pan information about what the max is, and > > that information doesn't always correspond with what is > > advertised for the server. > > _______________________________________________ > Pan-users mailing list > address@hidden > http://lists.nongnu.org/mailman/listinfo/pan-users |
[Prev in Thread] | Current Thread | [Next in Thread] |