Source: shadowsocks-libev Version: 3.1.1+ds-1 Severity: important -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Dear Maintainer, By default, the configuration containing the server password /etc/shadowsocks- libev/config.json is world readable. This means that when an administrator configures a shadowsocks client on a machine, the server's password can be read by other users on the system. It is possible for an administrator to lockdown the permissions by setting the permissions to 750 on directory and/or 640 on configuration file. However, this requires the group ownership of the file to passed on to 'nogroup' user as that is what the daemon is executed as. This means that other daemons running under this group will be able to read the password. Then the administrator has to create a special daemon group and change the systemd service file accordingly. I suggest we handle this in the package: - - Create a new user and group for daemon to run. Say 'debian-shadowsocks'. - - Make the daemon run on using this user and group. - - Change ownership of the configuration file to 'root:debian-shadowsocks'. - - Change the permission of the configuration file to 640 and possibly the directory to 750. Shadowsocks is being integrated into FreedomBox. Thank you for maintaining the shadowsocks. - -- Sunil - -- System Information: Debian Release: 9.1 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_IN.UTF-8, LC_CTYPE=en_IN.UTF-8 (charmap=UTF-8), LANGUAGE=en_IN.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -----BEGIN PGP SIGNATURE----- iQJFBAEBCgAvFiEE5xPDY9ZyWnWupXSBQ+oc/wqnxfIFAloefhgRHHN1bmlsQG1l ZGhhcy5vcmcACgkQQ+oc/wqnxfJNbRAAqTuYH6x+WwhmpYbhi380FVFHQyUOUpHm WXonchT1VoVVQIDWEitUEIeCEwBth7V/ExZt9x5DycbZou2F7Yh/lbo+dy2CaYOk SzJkUwrEwZW3PnZYNn9LS5aFlZJCJFxzUaL+JZVUSSzAxy6ieM9HRvvaaeNIn8p4 Hv/iyBeNBbcgSk08CqVx6HZkjXfuWomVKgCxwXtucUGvIN8t0f9Stba3TFMgDcQB rRp6yKLb91rz3IIBvq9e2Z3MmdikVklXRNab7wR3YYvKv3JL4EjSnUDMACxNmsHd mfOZ/EhNqmPr5oaYnx9YHenQqtD0aGwBHoqkvQtHw/94HkfAvkd2ZIK5QvrFfFhn FT8ul9BwP2mK8D8Dm45lT5WjOCcle3tyPgwQI1X/kR7fDL0V2gXqdkFTe83MC+Lx V7isVoEDKgFUFIKUyWrL12cfHg16H7MFrYtu7NTPo8Ck794U1hprbFgB0nF6TsVj my7qTMZYlLVeTOp7AhNGu/x+4DT5Ovfu66Pq7p0YatbZHuxwQSwswAUJPljAsIiM QIHbI5NO7rxaCEMm9uOsEFNHnX9fdKsb3N6XEbMpArdEJX/20jiM/+oU5cw5OM7J KQI5rHhYYo3YXVI1W0vBknB4Lfn64WT/LDYZH6dkF7A34IqsxEhf6I3ez5fPJcSE 4XYNrAdykyk= =D6fr -----END PGP SIGNATURE-----
