Package: knockd Version: 0.7-1 Severity: normal Dear Maintainer,
after installation of knockd on Debian I discovered that /etc/knockd.conf has a file permission of 644. This means the secret port knocking frequence is readable for all system users. Additional, if an attacker can get read access to files (due to a flaw in a web app i. e.) he can read the sequences and associated commands as well. On Ubuntu 16.04 the file permission of /etc/knockd.conf is 640 after installation. I would expect the same or 600 on Debian. Please check an fix if appropriate. Best regards from Germany Tom Gries -- System Information: Distributor ID: Kali Description: Kali GNU/Linux Rolling Release: kali-rolling Codename: kali-rolling Architecture: x86_64 Kernel: Linux 4.13.0-kali1-amd64 (SMP w/1 CPU core) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages knockd depends on: ii libc6 2.25-3 ii libpcap0.8 1.8.1-5 ii logrotate 3.11.0-0.1 ii lsb-base 9.20170808 knockd recommends no packages. knockd suggests no packages. -- no debconf information
