Hello, what if then I decide to mv it to replace mine ? what was wrong with the previous scheme (write the packaged version of the file within the same directory) ? I'm not a security expert, if you say it's safe and there's nothing to worry about, that's fine with me.
2017-01-22 13:45 GMT+01:00 Colin Watson <[email protected]>: > On Sun, Jan 22, 2017 at 12:57:38PM +0100, Guillem Jover wrote: > > On Sun, 2017-01-22 at 11:56:59 +0100, Benoît wrote: > > > I'm upgrading openssh server and dpkg tells me about a new config file. > > > I usually find a .dist-something file beside the current file. > > > I couldn't. > > > Then I read carefully dpkg's message. > > > It's telling me to check a file with a hard-to-remember name in /tmp/. > > > And that file is world readable, unlike my current config file. > > > > > > I don't know if it's safe to have a sshd_config world-readable, but > > > some other package conf file may store secret information. > > > So puting the new file world readable in a world-readable dir doesn't > > > seem right to me. > > > > > > $ LANG=C ls -la /tmp/fileaURJMg /etc/ssh/sshd_config > > > -rw------- 1 root root 2425 Jan 28 2016 /etc/ssh/sshd_config > > > -rw-r--r-- 1 root root 3361 Jan 16 16:11 /tmp/fileaURJMg > > > > This would be due to the ucf usage (which TBH I always find slightly > > annoying), so I'm reassigning to ucf and marking as affecting > > openssh-server. > > The temporary file here is the *packaged* version of the file, modified > only to take account of values set in the debconf database; it is by > definition world-readable, containing no secret information. There's no > information leak going on here. > > -- > Colin Watson [[email protected]] > -- Benoît Dejean
