Your message dated Thu, 25 May 2017 18:10:47 +0300 with message-id <20170525181047.46bec...@brick.gerasiov.net> and subject line Re: [Letsencrypt-devel] Bug#863042: dehydrated: insecure file permissions by default has caused the Debian Bug report #863042, regarding dehydrated: insecure file permissions by default to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 863042: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863042 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: dehydrated Version: 0.3.1-3~bpo8+1 Severity: serious Tags: security dehydrated package by default create private files with word-readable permissions. How I got this: I installed dehydrated 0.3.1-3~bpo8+1 Put my domain with subdomains to /etc/dehydrated/domains.txt and run # dehydrated -c as root user (I dont know does it matter or not, but first runs failed because I did not setup challenge dir for all subdomain.) After cerificates and keys was generated I found that files are readable by anyone in the system: dnsmasq@master:~$ ls -la /var/lib/dehydrated/certs/gerasiov.net/privkey* -rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495272909.pem -rw-r--r-- 1 root root 3243 май 20 12:40 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495273211.pem private keys dnsmasq@master:~$ ls -la /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem -rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem accout key -- System Information: Debian Release: 9.0 APT prefers testing APT policy: (700, 'testing'), (670, 'stable-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---Hello Mattia, On Mon, 22 May 2017 10:41:25 +0200 Mattia Rizzolo <mat...@debian.org> wrote: > Control: tag -1 unreproducible moreinfo > > On Sat, May 20, 2017 at 07:25:03PM +0300, Alexander GQ Gerasiov wrote: > > dehydrated package by default create private files with > > word-readable permissions. > > That's not what it doe around here, nor I could find anybody who had > your experience. That's really weird. Now I believe the problem itself is in strange acl I see on my virtual host which overrides umask. dehydrated itself looks innocent, it really do umask in the beginning. -- Best regards, Alexander Gerasiov Contacts: e-mail: g...@cs.msu.su Homepage: http://gerasiov.net Skype: gerasiov PGP fingerprint: 04B5 9D90 DF7C C2AB CD49 BAEA CA87 E9E8 2AAC 33F1pgpCM_DqBG0PY.pgp
Description: OpenPGP digital signature
--- End Message ---
_______________________________________________ Letsencrypt-devel mailing list Letsencrypt-devel@lists.alioth.debian.org https://lists.alioth.debian.org/mailman/listinfo/letsencrypt-devel