Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file

[Russ Allbery]

"Scott Cantor" <cantor.2 at osu.edu> writes:

>> Note that we can't just use umask 177 in the Debian version of this script
>> since Debian runs shibd as a non-root user and then won't be able to read
>> the certificate.  For Debian, we should set the group ownership to the
>> shibd user we create and make the file group-readable.

> If there's a better patch you'd like upstream for this use case, just add it
> to the SP bug report. I'm not shipping it any time soon, so whatever is
> easiest.

Thank you for the offer!  I think it's going to be a bit tricky for you to
do something upstream that will also work in Debian without modifications,
since you won't be able to rely on the group that we're creating as part
of the package installation, so I suspect we should probably carry a local
patch here to make the ownership line up with what the package is doing.
Unless you want to document creation of a particular user and group as
part of the package installation, but my guess is that probably isn't the
direction you want to go.

-- 
Russ Allbery (rra at debian.org)               <http://www.eyrie.org/~eagle/>