Hi Russ, > At first glance, it seems to me like the news group is fairly trusted > already by INN, and I'm missing why we should be worried about people in > the news group being able to see the private key.
Yes, you're right. > We should probably be slightly more paranoid and ensure that if the mode > is 440 or 640, the group owner is the news group (to prevent the failure > case of having news:users as the owner and group). Then I suggest: if (!S_ISREG(buf.st_mode) || (buf.st_mode & 0137) != 0 || ((buf.st_mode & 0040) != 0 && buf.st_gid != getgid())) { syslog(L_ERROR, "bad ownership or permissions on private key" " '%s': private key must be mode 640 at most, and readable by the news " "group only", cert_file); return (0); } I hope it will not fail in case of a setgid on nnrpd -- maybe we should use getegid() instead of getgid()? -- Julien ÉLIE « Je ne cherche pas à connaître les réponses, je cherche à comprendre les questions. » -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
