Bug#285989: exim4-config: Creates world-readable config file
Andreas Metzler
Andreas Metzler <ametzler@downhill.at.eu.org>, 285989@bugs.debian.org
Thu, 16 Dec 2004 20:36:03 +0100
On 2004-12-16 Stephen Gran <sgran@debian.org> wrote:
> Package: exim4-config
> Version: 4.34-9
> Severity: normal
> -rw-r--r-- 1 root Debian-exim 10783 2004-12-11 12:58 config.autogenerated
> That seems less than ideal, especially given that things like sql
> passwords can be stored in it. Since upstream has the hide option for
> things just like that, it seems that they also do not encourage this
> file to be world-readable.
[...]
Upstream has the file globally readable by default. Otherwise
nice stuff like exim4 -bt won't work as unpriliveged user. We are
careful to not keep passwords in it by default and offer the
possibility to change it.
update-exim4.conf(8)
NOTES
update-exim4.conf changes the file permissions of the output
file to the value of the environment variable CFILEMODE, if
CFILEMODE is set neither in
/etc/exim4/update-exim4.conf.conf nor in the environment it
defaults to 0644. Change this to 0640 if you’re keeping
sensible information (LDAP credentials et. al.) in there.
This predates the possibility of keeping unsplit config, I can improve
this a little by making config.autogenerated 0640 if
/etc/exim4/exim4.conf.template is not worlreadable and unsplit config
is chosen.
cu andreas
--
"See, I told you they'd listen to Reason," [SPOILER] Svfurlr fnlf,
fuhggvat qbja gur juveyvat tha.
Neal Stephenson in "Snow Crash"
http://downhill.aus.cc/