Bug#824878: targetcli: Sensitive information exposed in configuration and backup files
Hello Christoph, Thank you for the bug report. The same is fixed in the new (-3) upload, pending inclusion into archives soon. Thanks. On Fri, 2016-05-20 at 18:57 +0200, Christoph Scheurer wrote: > Package: targetcli > Version: 1:3.0~pre4.1~ga55d018-2 > Severity: normal > > Dear Maintainer, > > the configuration file /etc/target/scsi_target.lio as well as backups in > /var/target/ are created with permissions 644 (also depending on root's umask, > of course). These files contain the clear text password(s) for > target/initiator (mutual) authentication. Please, adjust the defaults, so > these files will never be world readable, independent of root's umask setting. -- Ritesh Raj Sarraf | http://people.debian.org/~rrs Debian - The Universal Operating System signature.asc Description: This is a digitally signed message part
Bug#824878: targetcli: Sensitive information exposed in configuration and backup files
Package: targetcli Version: 1:3.0~pre4.1~ga55d018-2 Severity: normal Dear Maintainer, the configuration file /etc/target/scsi_target.lio as well as backups in /var/target/ are created with permissions 644 (also depending on root's umask, of course). These files contain the clear text password(s) for target/initiator (mutual) authentication. Please, adjust the defaults, so these files will never be world readable, independent of root's umask setting. Thanks! Ch. Scheurer -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages targetcli depends on: ii python 2.7.9-1 ii python-configshell 1.6.1~g020d540-2 ii python-rtslib 1:3.0~pre4.1~g1b33ceb-2 targetcli recommends no packages. targetcli suggests no packages. -- no debconf information