Package: bley Version: 0.1.5-2 Severity: important Hi!
After installing bley, I was a bit puzzled by the permissions given to
the configuration file:
drwxr-x--- 2 root bley 4096 déc. 2 10:45 bley
-rw------- 1 bley bley 1101 déc. 2 10:45 bley/bley.conf
-rw------- 1 bley root 81 déc. 1 15:39 bley/dbconfig-common.conf
The daemon is run as the `bley` user. So this means that it can rewrite
its own configuration file. That's unusal and bad for security.
Also, given that the secrets are all in dbconfig-common.conf, why not
make bley.conf simply world readable?
I have made the following local changes and they works fine:
drwxr-xr-x 2 root bley 4096 déc. 2 10:45 bley
-rw-r--r-- 1 root root 1101 déc. 2 10:45 bley/bley.conf
-rw-r----- 1 root bley 81 déc. 1 15:39 bley/dbconfig-common.conf
This looks much more safe and idiomatic to me.
--
Lunar .''`.
lu...@debian.org : :Ⓐ : # apt-get install anarchism
`. `'`
`-
signature.asc
Description: Digital signature
