On Mon, Mar 12, 2007 at 14:38:02 +0800, Thomas Goirand wrote: > Julien Cristau wrote: > > Package: dtc-xen > > Version: 0.2.6-5 > > Severity: serious > > Tags: security > > > > Hi, > > > > dtc-xen creates files in /etc/dtc-xen in its postinst, in particular ssl > > private keys, and only after that chmods them. This means that they is > > a race condition which makes these files readable by anyone. > > > > Cheers, > > Julien > > Should I provide these files already with chmod in the package itself?
right, shipping ssl private keys in the package, that sounds like a good idea... not. > Having them in the package in /etc wouldn't mater, as they would be set > as conffiles, but it could be still problematic, no? What is your > suggestion? Let me know. > you could look up umask. Cheers, Julien -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
