Re: : File attachment permissions

On 3/30/07, Victor Boctor <vboctorgmail.com> wrote:
> In my mind, if someone has access to the file system,
then he/she can
> do the following:
>
> 1. Open the config_inc.php and get the database user
name / password
> and extract the files from there.
>
> 2. Write up a PHP script and place it on the server
which provides a
> link per attachment file and allows the client to
download all
> attachments without any authentication.
>
> My point is that if someone has access to the file
system, then we are
> already exposed even if we guard the attachments.

Yap, that was my point.

>
> Am I missing something?  I would agree with the
configuration option
> approach for default file permission as a compromise. 
But we still
> have the issue of what the default value should be.  I
typically
> prefer the "secure by default" approach, so I
would stick with the
> original value as the default value.

+1
When that is easily configurable, better stay on the safe
side with defaults

------------------------------------------------------------
-------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the
chance to share your
opinions on IT & business topics through brief
surveys-and earn cash
http://www.techsay.com/default.
php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
mantisbt-dev mailing list
mantisbt-devlists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mantisbt-d
ev