-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Alexander GQ Gerasiov schrieb: > Tue, 20 Jan 2009 18:39:54 +0100 > Patrick Matthäi <patrick.matth...@web.de> wrote: > >> Hello, >> >> I think a solution would be, if debconf maintains his config.dat with >> mode 0600. AFAIK there is no need for g+r,a+r for it. > > I think this would be workaround, and not the real fix. passwords should > not be stored in debconf anyway. I don't know ucf internals, but why > not to delete this data from debconf somewhere after user made > decision? It whould be the best idea?
In this case ucf saves the whole diff, it could not know if it is a password or not. Also if it is not a password it may contain sensible informations. > (But may be config.dat should also be 0600, to prevent bad guys, who > could permanently monitor it for private data with icron or any other > method.) Which should be the real fix for it I think and I also think that it should be reassigned to debconf. R/W operations in Debians packaging are just done by the root user, so it .dat could be 0660/0600. - -- /* Mit freundlichem Gruß / With kind regards, Patrick Matthäi E-Mail: patrick.matth...@web.de Comment: Always if we think we are right, we were maybe wrong. */ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkl2UmMACgkQ2XA5inpabMdlfQCfeo4EqCN1/CLKuFwuEQweDStc kn0AmwZs/TtCmXRJCca7rRyb9A0uFKgd =o+BV -----END PGP SIGNATURE----- -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
