[Letsencrypt-devel] Bug#863042: dehydrated: insecure file permissions by default

Alexander GQ Gerasiov gq at debian.org
Sat May 20 16:25:03 UTC 2017

Source: dehydrated
Version: 0.3.1-3~bpo8+1
Severity: serious
Tags: security

dehydrated package by default create private files with word-readable

How I got this:
I installed dehydrated 0.3.1-3~bpo8+1
Put my domain with subdomains to /etc/dehydrated/domains.txt and run
# dehydrated -c
as root user
(I dont know does it matter or not, but first runs failed because I did
not setup challenge dir for all subdomain.)

After cerificates and keys was generated I found that files are
readable by anyone in the system:
dnsmasq at master:~$ ls -la /var/lib/dehydrated/certs/gerasiov.net/privkey*
-rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495272909.pem
-rw-r--r-- 1 root root 3243 май 20 12:40 /var/lib/dehydrated/certs/gerasiov.net/privkey-1495273211.pem
private keys

dnsmasq at master:~$ ls -la /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem
-rw-r--r-- 1 root root 3243 май 20 12:35 /var/lib/dehydrated/accounts/aH...VjdG9yeQo/account_key.pem
accout key

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (700, 'testing'), (670, 'stable-updates'), (670, 'stable'), (600, 'unstable'), (550, 'experimental')
Architecture: amd64
Foreign Architectures: i386

Kernel: Linux 4.9.0-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=ru_RU.utf8, LC_CTYPE=ru_RU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

More information about the Letsencrypt-devel mailing list