Bug#612644: tryton-server: Postinst resets insecure permissions on configuration file with passwords

Jeroen Dekkers Wed, 09 Feb 2011 10:21:29 -0800

Package: tryton-server
Version: 1.6.1-2
Severity: important

Hi,


>From README.Debian:

  * trytond must have read access to its configuration file, otherwise it will
    start with internal defaults. The postinst script will (re)set correct
    permissions on the standard configuration file (0644 on /etc/tyond.conf).

This means that the database password and admin password configured in
/etc/trytond.conf will be readable for all users on the system after
postinst is run, even if the user has been so wise to make it 0600,
because making the tryton database available to all users on the
system is a very bad idea. The postinst shouldn't overrule user
changes of the permissions of the config file.

Regards,

Jeroen Dekkers

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (990, 'stable'), (500, 'squeeze-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages tryton-server depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  python                  2.6.6-3+squeeze5 interactive high-level object-orie
ii  python-dateutil         1.4.1-3          powerful extensions to the standar
ii  python-genshi           0.6-1            Python XML-based template engine
ii  python-lxml             2.2.8-2          pythonic binding for the libxml2 a
ii  python-pkg-resources    0.6.14-4         Package Discovery and Resource Acc
ii  python-psycopg2         2.2.1-1          Python module for PostgreSQL
ii  python-relatorio        0.5.5-1          Python module to create reports fr
ii  python-simplejson       2.1.1-1          simple, fast, extensible JSON enco
ii  python-support          1.0.10           automated rebuilding support for P

Versions of packages tryton-server recommends:
ii  logrotate                3.7.8-6         Log rotation utility
pn  openoffice.org-core      <none>          (no description available)
pn  openoffice.org-draw      <none>          (no description available)
pn  openoffice.org-writer    <none>          (no description available)
ii  postgresql               8.4.7-0squeeze2 object-relational SQL database (su
ii  postgresql-client-8.4 [p 8.4.7-0squeeze2 front-end programs for PostgreSQL 
pn  python-openoffice        <none>          (no description available)
ii  python-openssl           0.10-1          Python wrapper around the OpenSSL 
pn  python-pydot             <none>          (no description available)
pn  python-tz                <none>          (no description available)
ii  python-webdav            0.9.4-1         WebDAV server implementation in Py

Versions of packages tryton-server suggests:
pn  python-psyco                  <none>     (no description available)
pn  python-sphinx                 <none>     (no description available)
pn  tryton-client | tryton-neso   <none>     (no description available)

-- Configuration Files:
/etc/trytond.conf [Errno 13] Permission denied: u'/etc/trytond.conf'

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Bug#612644: tryton-server: Postinst resets insecure permissions on configuration file with passwords

Reply via email to