[mythtv] .png files are mode -rw-rw-rw-
Daniel Kristjansson
danielk at cuymedia.net
Wed Aug 9 13:48:41 UTC 2006
On Wed, 2006-08-09 at 09:16 -0400, Dan Wilga wrote:
> At 1:54 PM -0400 8/8/06, Daniel Kristjansson wrote:
> >On Tue, 2006-08-08 at 13:46 -0400, Preston Crow wrote:
> >> I've noticed that while the regular recordings are -rw-r--r--, the .png
> >> thumbnails are globally-writable. Is this intentional?
> >
> >Yeah. Most people have problems with getting permissions set
> >up correctly, so this was done so the frontend could update
> >the thumbnails generated by the backend with the more messed
> >up configurations.
>
> IMHO, this is a security risk, and should be optional.
I wouldn't mind a security pane in the general configuration
for the master backend which controlled this and other security
related things. But I don't think it is a significant security
risk. If an attacker has access to any of the machines on which
MythTV is running she has access to the local network so she
has almost complete control over MythTV via the MythTV protocol.
Since any sensible MythTV installation on a networked computer
has neither the backend nor the frontend running as root the
compromise would restricted to the capabilities of the user
accounts under which the MythTV components and mysql are running.
-- Daniel
More information about the mythtv-dev
mailing list