Package: bley Version: 0.1.5-2 Severity: important Hi!
After installing bley, I was a bit puzzled by the permissions given to the configuration file: drwxr-x--- 2 root bley 4096 déc. 2 10:45 bley -rw------- 1 bley bley 1101 déc. 2 10:45 bley/bley.conf -rw------- 1 bley root 81 déc. 1 15:39 bley/dbconfig-common.conf The daemon is run as the `bley` user. So this means that it can rewrite its own configuration file. That's unusal and bad for security. Also, given that the secrets are all in dbconfig-common.conf, why not make bley.conf simply world readable? I have made the following local changes and they works fine: drwxr-xr-x 2 root bley 4096 déc. 2 10:45 bley -rw-r--r-- 1 root root 1101 déc. 2 10:45 bley/bley.conf -rw-r----- 1 root bley 81 déc. 1 15:39 bley/dbconfig-common.conf This looks much more safe and idiomatic to me. -- Lunar .''`. lu...@debian.org : :Ⓐ : # apt-get install anarchism `. `'` `-
signature.asc
Description: Digital signature