2017-08-28 19:48 GMT+02:00 Troy Ready <t...@troyready.com>: [...] > Dear Maintainer, > > TLS private key files are explicitly checked for permissions 0600 at > startup[0], which precludes the use of the ssl-cert group to manage the key. > > This may be changed upstream at some point[1], but for now I think it'd be > appropriate for Debian to extend the check to allow for some form of > group-read > permissions. > > The original reason for locking it down so strictly was CVE-2013-4476[2], > which > was reported because of world-readable permissions; group-read permissions > wouldn't be a regression on the CVE fix. > > If someone was open to taking this, it should be trivial to adapt the patch > from #10392[1] for it (happy to submit that here if it would help).
Hello, We're not against this change, but please propose a patch upstream first. Once it'll be merged in upstream (in the master branch), we can backport it in the Debian package. Regards -- Mathieu Parent
