Source: dyfi
Version: 1.2.0-4
Severity: normal
Tags: patch
The configuration file created by postinst is world readable. Anyone can thus
read the
configured username and password for the dyfi service.
$ ls -la /etc/dyfi-update.conf
-rw-r--r-- 1 dyfi dyfi 381 Jun 16 09:11 /etc/dyfi-update.conf
-- System Information:
Debian Release: 8.5
APT prefers stable
APT policy: (510, 'stable'), (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.5.0-0.bpo.2-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages dyfi depends on:
ii adduser 3.113+nmu3
ii debconf [debconf-2.0] 1.5.56
ii init-system-helpers 1.34
ii libwww-perl 6.08-1
ii perl 5.20.2-3+deb8u5
dyfi recommends no packages.
dyfi suggests no packages.
-- debconf information excluded
Description: Fix configuraion file permissions (passwords should probably not be world readable...)
--- a/debian/postinst
+++ b/debian/postinst
@@ -28,6 +28,7 @@
fi
touch /var/log/dyfi-update.log
chown -R dyfi:dyfi /usr/share/dyfi /var/log/dyfi-update.log /etc/dyfi-update.conf
+ chmod o-r /etc/dyfi-update.conf
;;
esac
#DEBHELPER#
