Bug#863042: marked as done (dehydrated: insecure file permissions by default)

[Debian Bug Tracking System]

Your message dated Thu, 25 May 2017 18:10:47 +0300
with message-id <20170525181047.46bec...@brick.gerasiov.net>
and subject line Re: [Letsencrypt-devel] Bug#863042: dehydrated: insecure file 
permissions by default
has caused the Debian Bug report #863042,
regarding dehydrated: insecure file permissions by default
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
863042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863042
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: dehydrated
Version: 0.3.1-3~bpo8+1
Severity: serious
Tags: security

dehydrated package by default create private files with word-readable
permissions.

How I got this:
I installed dehydrated 0.3.1-3~bpo8+1
Put my domain with subdomains to /etc/dehydrated/domains.txt and run
# dehydrated -c
as root user
(I dont know does it matter or not, but first runs failed because I did
not setup challenge dir for all subdomain.)

After cerificates and keys was generated I found that files are
readable by anyone in the system:
dnsmasq@master:~$ ls -la /var/lib/dehydrated/certs/gerasiov.net/privkey*
-rw-r--r-- 1 root root 3243 май 20 12:35 
/var/lib/dehydrated/certs/gerasiov.net/privkey-1495272909.pem
-rw-r--r-- 1 root root 3243 май 20 12:40 
/var/lib/dehydrated/certs/gerasiov.net/privkey-1495273211.pem
private keys

dnsmasq@master:~$ ls -la 
/var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem
-rw-r--r-- 1 root root 3243 май 20 12:35 
/var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem
accout key


-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (700, 'testing'), (670, 'stable-updates'), (670, 'stable'), (600, 
'unstable'), (550, 'experimental')
Architecture: amd64
 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

--- End Message ---

--- Begin Message ---

Hello Mattia,

On Mon, 22 May 2017 10:41:25 +0200
Mattia Rizzolo <mat...@debian.org> wrote:

> Control: tag -1 unreproducible moreinfo
> 
> On Sat, May 20, 2017 at 07:25:03PM +0300, Alexander GQ Gerasiov wrote:
> > dehydrated package by default create private files with
> > word-readable permissions.  
> 
> That's not what it doe around here, nor I could find anybody who had
> your experience.

That's really weird. Now I believe the problem itself is in strange acl
I see on my virtual host which overrides umask. dehydrated itself looks
innocent, it really do umask in the beginning.

-- 
Best regards,
 Alexander Gerasiov

 Contacts:
 e-mail: g...@cs.msu.su  Homepage: http://gerasiov.net  Skype: gerasiov
 PGP fingerprint: 04B5 9D90 DF7C C2AB CD49  BAEA CA87 E9E8 2AAC 33F1

pgpuHZnm3Ng5a.pgp
Description: OpenPGP digital signature

--- End Message ---