fP 5.6 shipping with insecure modes?

[Fairlight]

Is it just me, or did J. P. Radley say:
> 
> You didn't install this yourself, I gather, so why/how do you come to
> blame the fP installation scripts?

Because I'm pretty damned sure Bob Stockler didn't dink with his, and I
know my client didn't dink with theirs.

And the config file has been an issue on at least 9 boxes--and those are
just ones I work with regularly.  In fact, I've yet to see a system where
config was -not- 0666, to the best of my memory.

> I installed my own fp_v5.6.02, and I can assure you that I did not
> change the permissions of those entries here, where they are:
> 
>    drwxr-xr-x 2 appl 493      96 Jan 20 16:55 /appl/fp_v5.6.02D4/spell
>    -rw-r--r-- 1 appl bin  846180 Mar 10 15:48 /appl/fp_v5.6.02D4/spell/dict.hsh
>    -rw-r--r-- 1 appl sys    1294 Jun 21 14:24 /appl/fp_v5.6.02D4/lib/config

Well then you're an exception to the rest of the dataset I'm seeing
develop.  This still doesn't explain EXPORT not having fixed umasks after
umpteen 5.0.x releases and now 5.6, after an extensive alpha/beta cycle.

> Also, isn't that 'b6' an indication of a beta release?

Yeah.  And I bet they fixed the install about as well in this regard as
they fixed the linux installation notes.  How about we ask John Esak about
the linux installation notes.  :) :) :)  Apparently (I gather) feedback was
given during the alpha/beta period and things -still- weren't fixed by the
time they made it into release.  I'm shocked.

They -could- be depending on umask to set the modes for the spelling part,
but that would be a bug as well.  Modes should be explicitly set.  Speaking
of which, I have to say I don't believe you about config.  I just flat-out
do NOT believe you.  Know why?  Because scripts/fp.list, which contains the
permissions used by setperms contains the following in 5.6, just as it did
in 5.0.x:

0666  root       ./lib/config

That's been there for years, and I've been citing it as an issue for as
long as I've been doing security audits.  Check the archives and look at
how many times I've cited this in 5.0.x versions.  If yours isn't 0666, you
either have never run setperms, or you tweaked it afterwards.  Since the
'finish' script contains the following:

# 07/25/00 Changed to use setperms to set permissions.
$PFPROG/fp/scripts/setperms -i

...you're either not installing it via 'finish', or you're not being
up-front about having changed it.  I don't see any other logical
conclusions.  Actually, I just checked something.  I have a client with 4.1
on their system and THEIR fp.list has the same line for lib/config as shown
above.  That goes back a LONG way.  I won't say you're out and out lying,
but I sure the hell don't personally believe you.  Not after how many
systems and versions I've seen this on -consistently-.

Further reading indicates that the spell files are -not- in fp.list, and
so it is possibly depending on the umask, which point I consider a bug.
You can debate it all you like, but it's my opinion that anything that
leaves modes to chance of random umask at install is buggy in that regard,
period, the end.  Actually, I have to wonder if it's related to umask.  Who
has a umask of 011?  That's not even sensible.  The results aren't even
consistent with umask 0.  Something's odd there, but I don't have time to
debug fP-Tech's software.  Furthermore, anything that creates files with an
insecure default mode (EXPORT) is buggy.  It's not like I've never reported
it officially, either.  I've done it at least once, possibly 2-3 times.
I know one of those was cc'd to this list after a flame war over my not
submitting it officially, and would be archived.  They're -well- aware of
the issue and have been for some time.

I'm starting to think it will take a listing on vulnwatch or the like to
get this stuff closed once and for all--and maybe not even then.

mark->