Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file

[Russ Allbery]

Ferenc Wagner <wferi at niif.hu> writes:

> How should we proceed with this bug?  I'm not sure it warrants a
> security update, so I didn't want to push this patch.

It doesn't really warrant a security update, I think.  However, we should
apply it to the unstable shibboleth-sp2 and do another upload.  I don't
feel a strong need to fix it in stable, apart from the backports.org
backport.

Note that we can't just use umask 177 in the Debian version of this script
since Debian runs shibd as a non-root user and then won't be able to read
the certificate.  For Debian, we should set the group ownership to the
shibd user we create and make the file group-readable.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>