Hi Russ, >> README.Debian states: > >> The private key must have the correct permissions: > >> chown root:news /etc/news/key.pem >> chmod 640 /etc/news/key.pem > >> But as nnrpd(8) clearly states, this must instead be > >> chown news:news /etc/news/key.pem >> chmod 600 /etc/news/key.pem > > That's kind of bogus on nnrpd's part. It should cope with the key being > owned by root and not writable by the news user.
I think the issue is that nnrpd tries to make sure that only the news user can read the private key. 400 news:news would also be fine (and it is not writable by the news user). When we have 640 root:news, other users in the news group can read the key. And not only the news user. But is it really important to check that? Can't we have cases with other groups than the news one? (adm, wheel, or groups like these) Currently: if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 || buf.st_uid != getuid()) { syslog(L_ERROR, "bad ownership or permissions on private key" " '%s': private key must be mode 600 and owned by " "uid %d", cert_file, getuid()); return (0); } Maybe we should just do: if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0137) != 0) { syslog(L_ERROR, "bad ownership or permissions on private key" " '%s': private key must be mode 640 at most", cert_file); return (0); } It is up to the administrator of the server to make sure he does not give too many rights. At least, nnrpd will ensure there really aren't too many rights. -- Julien ÉLIE « Je ne cherche pas à connaître les réponses, je cherche à comprendre les questions. » -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
