CVE-2008-6755

First published: Mon Dec 15 2008(Updated: )

While checking Gentoo bug: <a href="http://bugs.gentoo.org/show_bug.cgi?id=250715">http://bugs.gentoo.org/show_bug.cgi?id=250715</a> I noticed that zoneminder in Fedora defaults to apache:apache 600 for /etc/zm.conf. Therefore, Fedora defaults does now allow reading the config file directly using cat or vim. chmod o-r is probably not much of a fix in setups where local users can run own php or cgi scripts with web server privileges. However, in such setups, Fedora default seems even worse, as any php or cgi can actually modify the config (and at least break DB connectivity). In similar cases, where some daemon user needs read access to certain config file, root:&lt;daemon_group&gt; 640 is more common. Please check if changing: %config(noreplace) %attr(600,%{zmuid_final},%{zmgid_final}) %{_sysconfdir}/zm.conf to %config(noreplace) %attr(640,root,%{zmgid_final}) %{_sysconfdir}/zm.conf makes sense for ZM.

Credit: cve@mitre.org

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/nvd-historical
• collector/nvd-index
• agent/type
• agent/first-publish-date
• agent/softwarecombine
• collector/mitre-cve
• source/MITRE
• agent/severity
• agent/author
• agent/references
• agent/last-modified-date
• agent/weakness
• agent/remedy
• agent/description
• agent/event
• agent/tags
• collector/redhat-bugzilla
• source/Red Hat
• alias/CVE-2008-6755
• vendor/zoneminder
• canonical/zoneminder zoneminder
• version/zoneminder zoneminder/1.23.3
• vendor/redhat
• canonical/redhat fedora
• version/redhat fedora/10