On Sun, Apr 25, 2010 at 12:35 PM, Adrien Clerc <adr...@antipoul.fr> wrote: > Hi, > > It seems that /var/lib/prosody and all subdirectory and files are world > readable. Since those files can contain plaintext password, it is very > annoying for public servers.
Prosody used to create database files world readable because of bug in liblua5.1-filesystem0 (see http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=562627 for details). Though now that bug is fixed, so all new files shouldn't be world-readable. Also, /var/lib/prosody permissions are set to 750 in postinstallation script, so I'm surprised that it ends up world-readable. > > Please make sure that database can only be read by the prosody user. Could you check if liblua5.1-filesystem0 version is 1.4.2-3 (your reportbug didn't mention its version), reinstall (or upgrade) prosody and check if /var/lib/prosody's permissions are 750 and if creation of a new user makes its DB file /var/lob/prosody/<servername>/accounts/username.dat with proper permissions? > Depends (Version) | Installed > =======================================-+-============== > liblua5.1-filesystem0 | By the way, is there any chance that you have overridden /var/lib/prosody permissions by copying old backup data or imported data from some other server? Cheers! -- Sergei Golovan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
