Hi lunar! On Mon, Dec 02, 2013 at 11:03:31AM +0100, Jérémy Bobbio wrote:
> After installing bley, I was a bit puzzled by the permissions given to > the configuration file: > > drwxr-x--- 2 root bley 4096 déc. 2 10:45 bley > -rw------- 1 bley bley 1101 déc. 2 10:45 bley/bley.conf > -rw------- 1 bley root 81 déc. 1 15:39 bley/dbconfig-common.conf > > The daemon is run as the `bley` user. So this means that it can rewrite > its own configuration file. That's unusal and bad for security. > > Also, given that the secrets are all in dbconfig-common.conf, why not > make bley.conf simply world readable? > > I have made the following local changes and they works fine: > > drwxr-xr-x 2 root bley 4096 déc. 2 10:45 bley > -rw-r--r-- 1 root root 1101 déc. 2 10:45 bley/bley.conf > -rw-r----- 1 root bley 81 déc. 1 15:39 bley/dbconfig-common.conf > > This looks much more safe and idiomatic to me. Your finding is correct, but I must admit I never played with the perms (and expected dpkg to get them right). Will have a look into making this saner -- or do you have a patch handy already? :) Greets Evgeni -- Bruce Schneier can read and understand Perl programs. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
