Tom, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Now, I have heard it argued that the OpenSSH/L authors are a bunch of > idiots who know nothing about security. But it's not like insisting > on restrictive permissions on key files is something we invented out > of the blue. It's pretty standard practice, AFAICT.
I certainly was not intending to imply that anyone was an 'idiot'. Nor am I arguing that we must remove all such checks from every part of the system. I do contend that relying on such checks that happen on a relativly infrequent basis in daemon processes creates a false sense of security and does not practically improve security, today. As I mentioned previously, perhaps before distributions were as cognizant about security concerns or about considering how a particular daemon should be set up, or when users were still frequently installing from source, such checks were more valuable. However, when they get in the way of entirely reasonable system policies and require distributions to patch the source code, they're a problem. That doesn't mean we necessairly have to remove them, but we should be flexible. Similar checks in client utilities, such as the ssh example, or in psql, are more useful and, from a practical standpoint, havn't been an issue for system policies. Further, we do more than check key files but also check permissions on the data directory and don't provide any way for users to configure the permissions on new files, which could be seen as akin to sshd requiring user home directories to be 700 and forcing umask to 077. Note that all of this only actually applies to OpenSSH, not to OpenSSL. Certainly, as evidenced by the question which sparked this discussion, the packages which are configured to use the local snakeoil cert on Debian-based systems (which also includes postfix and Apache, offhand) do not have a problem with the group read permissions that are being asked for. I don't find that to be offensive or unacceptable in the least, nor do I feel that Debian is flawed for taking this approach, or that OpenSSL is flawed for not having such a check. Thanks! Stephen
signature.asc
Description: Digital signature
