-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Wed, 2019-07-31 at 00:12 +0600, Vladimir Bezhenar wrote: > By default file /etc/swanctl/swanctl.conf is world-readable > (permissions 644). This file can contain passwords for EAP > authentications, therefore it must not be world-readable, as this > information is confidential.
Hey, I'm not entirely sure I agree with this. I mean, it definitely make sense to protect private assets, but that's why there are subfolders (with relevant permissions) for private keys and stuff like that. If people want to (or rather have to) use stuff like passwords, I think they really should make sure those are not exposed by too wide permissions. That beeing said, I'm not sure how much it “hurts” to have swanctl.conf (and conf.d) not world readable by default. I'll ask upstream about that. Regards, - -- Yves-Alexis -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAl1VWk0ACgkQ3rYcyPpX RFuxYwgAtqhsyi0k68jUlmlPccwgDwy3gWpFKCm3NnrsdsmZ1CA2QJOluuAJf4r1 7bBpF6UnVZii5OqcZzqRSw3u6zg0sEEiTK7fWl2n870BxWC6COpigue+FTo+tWzf m+PzVlBKZqRiDZkKITvX7bbCc4gtfDNFZxHKPGTSHbqN1z1B+6uVovECXFv5eI4Z PnDn+7Tbxrtt5LDacFFn7/Oc36FbZXGlCbkQr5LqlLnGhhl6IBA17sLVRKWywdJp AZ14hHp9+2A4z4EcKJjh1gCBO3n47j6rMLdliPcpt9sQ+S1YG9pBLVhFwDwzoJqR Ep3j5/xrFv4kOleQgZ6iLOwiKCw2Sg== =L9qn -----END PGP SIGNATURE-----
