> Don't you think it's kind of an openssl bug to create the key material
> with full permissions? Shouldn't it creat("keyfile", 0600)?
Would be nice I suppose.
> This aside, I'd recommend working around the issue by creating the key
> file beforehand with restricted permissions, and not touching
"Scott Cantor" writes:
>> Note that we can't just use umask 177 in the Debian version of this script
>> since Debian runs shibd as a non-root user and then won't be able to read
>> the certificate. For Debian, we should set the group ownership to the
>> shibd user we create and make the file gro
On Fri, Mar 05, 2010 at 10:01:23AM -0800, Russ Allbery wrote:
> Ferenc Wagner writes:
>
> > How should we proceed with this bug? I'm not sure it warrants a
> > security update, so I didn't want to push this patch.
>
> It doesn't really warrant a security update, I think. However, we should
> a
Actually, I think I was confusing your original umask fix with this
submitted patch:
https://bugs.internet2.edu/jira/browse/SSPCPP-281
That has a -u option for controlling the user, and I suppose having a group
option would make sense also.
It would help if folks could collaborate and suggest th
> Thank you for the offer! I think it's going to be a bit tricky for you to
> do something upstream that will also work in Debian without modifications,
> since you won't be able to rely on the group that we're creating as part
> of the package installation, so I suspect we should probably carry a
"Scott Cantor" writes:
>> Note that we can't just use umask 177 in the Debian version of this script
>> since Debian runs shibd as a non-root user and then won't be able to read
>> the certificate. For Debian, we should set the group ownership to the
>> shibd user we create and make the file gro
> Note that we can't just use umask 177 in the Debian version of this script
> since Debian runs shibd as a non-root user and then won't be able to read
> the certificate. For Debian, we should set the group ownership to the
> shibd user we create and make the file group-readable.
If there's a be
Ferenc Wagner writes:
> How should we proceed with this bug? I'm not sure it warrants a
> security update, so I didn't want to push this patch.
It doesn't really warrant a security update, I think. However, we should
apply it to the unstable shibboleth-sp2 and do another upload. I don't
feel
Ferenc Wagner writes:
> Upstream fixed this by using umask 177.
Russ,
How should we proceed with this bug? I'm not sure it warrants a
security update, so I didn't want to push this patch.
Thanks,
Feri.
>From 8012fbf3cfb48df91ff26dc30cda23fb739386e7 Mon Sep 17 00:00:00 2001
From: Ferenc Wagne
Dominic Hargreaves writes:
> On Mon, Mar 01, 2010 at 03:41:51PM +0100, Ferenc Wagner wrote:
>> (Btw. I recommend using the backported packages, they are more
>> mature in several respects besides the higher version numbers.)
> Thanks for the tip; I'll bear it in mind if we encounter a need
> for
On Mon, Mar 01, 2010 at 03:41:51PM +0100, Ferenc Wagner wrote:
> Upstream fixed this (with amazing speed -- thanks, Scott!) by using
> umask 177. This is stricter than requested, as it affects the
> certificate as well, not only the key. Dominic, is this acceptable for
> you?
Yes, that's fine. P
Upstream fixed this (with amazing speed -- thanks, Scott!) by using
umask 177. This is stricter than requested, as it affects the
certificate as well, not only the key. Dominic, is this acceptable for
you? (Btw. I recommend using the backported packages, they are more
mature in several respects
forwarded 571631 https://bugs.internet2.edu/jira/browse/SSPCPP-106
thanks
Dominic Hargreaves writes:
> # ls -l sp*
> ls: cannot access sp*: No such file or directory
> # shib-keygen
> [...]
> # ls -l sp*
> -rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem
> -rw-r--r-- 1 root root 1675 Feb 26
Processing commands for cont...@bugs.debian.org:
> forwarded 571631 https://bugs.internet2.edu/jira/browse/SSPCPP-106
Bug #571631 [libapache2-mod-shib2] libapache2-mod-shib2: shib-keygen generates
world-readable key file
Set Bug forwarded-to-address to
'https://bugs.internet2.edu/jira/browse/SSP
Package: libapache2-mod-shib2
Version: 2.0.dfsg1-4+lenny2
Severity: critical
Tags: security
Justification: root security hole
When setting up a new SP, I observe the following:
irregular-apocalypse:/etc/shibboleth# ls -l sp*
ls: cannot access sp*: No such file or directory
irregular-apocalypse:/e
15 matches
Mail list logo
