[Secure-testing-team] Bug#752092: softhsm-keyconv creates security-sensibe file world-readable
Jonas Smedegaard
dr at jones.dk
Thu Jun 19 12:03:02 UTC 2014
Package: softhsm
Version: 1.3.3-2
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
the softshm-keyconv tool creates its output files with default access
rights, i.e. group and aworld readable on a default Debian setup.
I believe the correct thing would be to instead create files readable
only by the user invoking the tool, or inherit access rights from the
input file of the conversion process.
- Jonas
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQF8BAEBCgBmBQJTotFzXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ3NjQ4ODQwMTIyRTJDNTBFQzUxRDQwRTI0
RUMxQjcyMjM3NEY5QkQ2AAoJEE7BtyI3T5vWnZ4H/iCM68hXXw/FkkZl9xjU3iNz
seEjspR1KTPjiwo/NncbXUWPERc0BR+nN/aUrqCkYONVOLberQJKCXgVG4AoudXT
rGD+mrcBqavz/k0VlDMSQY3g8cksqe+k7yjeiqnscoWdDOSeSgyKes7n2uDllOsi
J5GcNI8LQCUhWm5byK6/zF0gUVK7rHvD36F8HRmxAlkMOywngj0vimJFo2qfXv/3
jAlG2psLxNd3c8kMwkO6LVOcW//CUKY6KyOGV7GQiNdEyJQT+mqFVt55Bn0Hh5JN
QxDTOcPmHu9znKS0v1qq3E91GHGTJZA8ktm1SA3nNnwA5dUze5giB1yGLfq9zTU=
=qBC7
-----END PGP SIGNATURE-----
More information about the Secure-testing-team
mailing list