Your message dated Wed, 3 Jan 2007 11:52:47 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Removed
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: zebra
Version: 0.92a-5woody2
Severity: important
Tags: security
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi.
I've just started playing with zebra, and the first thing I did was I
let everybody access to the zebra VTY. Fortunately enough, no users
except for me have an access this system, but it could have been worse.
| % ls -l /etc/zebra
| total 9
| -rw-r--r-- 1 root root 590 Jan 4 19:11 bgpd.conf
| -rw-r--r-- 1 root root 372 Mar 4 04:54 daemons
| -rw-r--r-- 1 root root 1169 Jan 4 19:11 ospf6d.conf
| -rw-r--r-- 1 root root 219 Jan 4 19:11 ospfd.conf
| -rw-r--r-- 1 root root 429 Jan 4 19:11 ripd.conf
| -rw-r--r-- 1 root root 422 Jan 4 19:11 ripngd.conf
| -rw-r--r-- 1 root root 101 Jan 4 19:11 vtysh.conf
| -rw-r--r-- 1 root root 446 Mar 4 04:50 zebra.conf
| % cat /etc/zebra/zebra.conf
| ! -*- zebra -*-
| !
| ! zebra sample configuration file
| !
| ! $Id: zebra.conf.sample,v 1.14 1999/02/19 17:26:38 developer Exp $
| !
| hostname myhost.mydomain.com
| !password zebra
| password 8_EaOA=A-IKQ
| ! enable password zebra
The problem was I happily added a strong password, along the
``!password zebra'' line. I wouldn't think the file would be
world-readable, such files aren't, in Debian.
Either the files under /etc/zebra that (may) contain passwords should be
chmod 600 by default, or the conffiles should contain something like:
``Make sure the permission bits are set so that no read permission is
given to users that should not know the password -- chmod 600 should do,
if you are not sure.''
..before the ``!password zebra'' line.
I'd suggest to stick with the former, as the latter is too errorprone,
IMO.
Whether it is good to suggest such a trivial password (``zebra''),
should be considered too, maybe ``<a strong password>'' would be better.
Cheers,
Jan.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQFARrRO+uczK20Fa5cRAhtIAKCrwwrSp2uWp4IBXdVexM+YR1EyMgCgrMg5
hbrmOrWThj5P8Akn++rLX1w=
=sYW9
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
zebra has been removed: orphaned upstream, superseded by zebra-pj
and/or quagga. If this bug still exists in zebra-pj, please open a
new one or let me know.
--
Martin Michlmayr
http://www.cyrius.com/
--- End Message ---
