On Sun, Jan 22, 2017 at 12:57:38PM +0100, Guillem Jover wrote: > On Sun, 2017-01-22 at 11:56:59 +0100, BenoƮt wrote: > > I'm upgrading openssh server and dpkg tells me about a new config file. > > I usually find a .dist-something file beside the current file. > > I couldn't. > > Then I read carefully dpkg's message. > > It's telling me to check a file with a hard-to-remember name in /tmp/. > > And that file is world readable, unlike my current config file. > > > > I don't know if it's safe to have a sshd_config world-readable, but > > some other package conf file may store secret information. > > So puting the new file world readable in a world-readable dir doesn't > > seem right to me. > > > > $ LANG=C ls -la /tmp/fileaURJMg /etc/ssh/sshd_config > > -rw------- 1 root root 2425 Jan 28 2016 /etc/ssh/sshd_config > > -rw-r--r-- 1 root root 3361 Jan 16 16:11 /tmp/fileaURJMg > > This would be due to the ucf usage (which TBH I always find slightly > annoying), so I'm reassigning to ucf and marking as affecting > openssh-server.
The temporary file here is the *packaged* version of the file, modified only to take account of values set in the debconf database; it is by definition world-readable, containing no secret information. There's no information leak going on here. -- Colin Watson [[email protected]]
