SquidGuard: Config files executable?
-
Hello. Just a quick question: Why are the configuration files of SquidGuard executable (for everyone) and couldn't this be a security issue?
ls -la /usr/local/etc/squidGuard/ total 30 drwxr-xr-x 2 squid squid 512 Jul 29 16:22 . drwxr-xr-x 27 root wheel 2048 Jul 28 17:27 .. -rwxr-xr-x 1 squid squid 1383 Jul 29 16:19 blacklist.files -rwxr-xr-x 1 squid squid 8597 Jul 29 16:31 squidGuard.conf -rwxr-xr-x 1 squid squid 455 Jul 29 14:58 squidGuard__usrdbrebuild.conf -rwxr-xr-x 1 squid squid 8159 Jul 29 16:19 squidGuard_blk_rebuild.conf -rwxr-xr-x 1 squid squid 2484 Aug 4 10:20 squidguard_conf.xml -
They aren't actually scripts so that isn't really a security issue, but it isn't necessary. Most likely something in the package code is doing a chmod on them with unnecessary permissions.
-
Well it could become a security issue, if someone manages somehow to get code into one of the files.
-
It would also have to have the right shabang at the start of the file, which I don't see happening.
Looking at the code, it seems to blindly set 0755 permissions everywhere, though I don't immediately see a good reason for it to do so. It should probably be using 0644 instead, but that is something that will need some testing before putting it in the package.
-
Yeah I just felt uneasy seeing that. I believe nothing has to have +x except for those that need to be executed. Everything else should be only readable for those that need to read it.
