[Letsencrypt-devel] Bug#863042: Bug#863042: dehydrated: insecure file permissions by default

Mattia Rizzolo mattia at debian.org
Mon May 22 08:41:25 UTC 2017


Control: tag -1 unreproducible moreinfo

On Sat, May 20, 2017 at 07:25:03PM +0300, Alexander GQ Gerasiov wrote:
> dehydrated package by default create private files with word-readable
> permissions.

That's not what it doe around here, nor I could find anybody who had
your experience.
One of the first thing dehydrated does is to set an umask of 077, and
then mktemp creates file with 600 by default anyway, indeed all my
files (public and private keys) are 600.

> How I got this:
> I installed dehydrated 0.3.1-3~bpo8+1
> Put my domain with subdomains to /etc/dehydrated/domains.txt and run
> # dehydrated -c
> as root user
> (I dont know does it matter or not, but first runs failed because I did
> not setup challenge dir for all subdomain.)
> 
> After cerificates and keys was generated I found that files are
> readable by anyone in the system:
> dnsmasq at master:~$ ls -la /var/lib/dehydrated/certs/gerasiov.net/privkey*

In fact you shouldn't even be able to do this, the certs directories
should be 700...

Are you running with a weird umask (which shouldn't matter anyway), or a
mangled mktemp, or do you have (more likely) any hook misbehaving?

-- 
regards,
                        Mattia Rizzolo

GPG Key: 66AE 2B4A FCCF 3F52 DA18  4D18 4B04 3FCD B944 4540      .''`.
more about me:  https://mapreri.org                             : :'  :
Launchpad user: https://launchpad.net/~mapreri                  `. `'`
Debian QA page: https://qa.debian.org/developer.php?login=mattia  `-
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/letsencrypt-devel/attachments/20170522/34aa6f8c/attachment.sig>


More information about the Letsencrypt-devel mailing list