Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file
Ferenc Wagner
wferi at niif.hu
Mon Mar 1 14:03:02 UTC 2010
forwarded 571631 https://bugs.internet2.edu/jira/browse/SSPCPP-106
thanks
Dominic Hargreaves <dom at earth.li> writes:
> # ls -l sp*
> ls: cannot access sp*: No such file or directory
> # shib-keygen
> [...]
> # ls -l sp*
> -rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem
> -rw-r--r-- 1 root root 1675 Feb 26 15:39 sp-key.pem
>
> I believe that sp-key.pem should not be made world-readable, and
> therefore suggest that the script changes its umask accordingly, and
> then chmods the non-private certificate to be world-readable afterwards.
It's fixed in the current version, but in a weaker way: by removing
permissions after creation. I added a note to SSPCPP-106 to find out
upstream's opinion, though we certainly can fix this independently.
Russ, what do you think?
--
Thanks,
Feri.
More information about the Pkg-shibboleth-devel
mailing list