[Pkg-openssl-devel] Bug#702998: openssl genrsa creates private key file with insecure permissions
Paul Gevers
elbrus at debian.org
Wed Mar 13 21:51:09 UTC 2013
Package: openssl
Version: 1.0.1e-1
Severity: normal
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
When I want openssl to create a private key for me, it creates the key file
with read access to the world. I don't think that is desired behavior.
Instead I would expect the file to be read (and write) only for the owner of
the file.
paul at wollumbin ~/tmp $ openssl genrsa -out test-private.key 2048
Generating RSA private key, 2048 bit long modulus
.................+++
.............................................................................................+++
e is 65537 (0x10001)
paul at wollumbin ~/tmp $ ll test-private.key
- -rw-r--r-- 1 paul paul 1679 mrt 13 22:48 test-private.key
- -- System Information:
Debian Release: 7.0
APT prefers testing
APT policy: (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.2.0-4-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssl depends on:
ii libc6 2.13-38
ii libssl1.0.0 1.0.1e-1
ii zlib1g 1:1.2.7.dfsg-13
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20130119
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQEcBAEBCAAGBQJRQPTNAAoJEJxcmesFvXUKJEEH/itYURw5LrNRF429XCaIUCwd
0sZJmLgy9r1yWQ4yAwm+Y06hUQ4Fmx6aA4TNCHyX7VrUSqFPlXa2Syf1pnxR81zS
3FXEi/yFAOJPzI7SfMAzOcV8zRgl43ahUhchPj4RUB/WFBYF5uhr6A2B/JNg8unB
wNsIkLUTbxuWBj752yNBHrzkkvtHTRxbHPTNieDoB2KiHEi0K5IjvpSvAIhnc8mX
aVz/ZIHhWgdjoGjQZC3DsIbOkbcXgaEhCNtASB8R5iN8YuIl9FEvoTq/FgYFQ0Lk
KnYAs+CMNmqc8l4GRktBj3pLFKcUTvtnp3DFNgzhNP09qqXPN8jX9spV17S+nLA=
=fxWr
-----END PGP SIGNATURE-----
More information about the Pkg-openssl-devel
mailing list