Source: dehydrated Version: 0.3.1-3~bpo8+1 Severity: serious Tags: security
dehydrated package by default create private files with word-readable permissions. How I got this: I installed dehydrated 0.3.1-3~bpo8+1 Put my domain with subdomains to /etc/dehydrated/domains.txt and run # dehydrated -c as root user (I dont know does it matter or not, but first runs failed because I did not setup challenge dir for all subdomain.) After cerificates and keys was generated I found that files are readable by anyone in the system: dnsmasq@master:~$ ls -la /var/lib/dehydrated/certs/gerasiov.net/privkey* -rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495272909.pem -rw-r--r-- 1 root root 3243 май 20 12:40 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495273211.pem private keys dnsmasq@master:~$ ls -la /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem -rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem accout key -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (700, 'testing'), (670, 'stable-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)