Re: Question about world readable config files and commented warnings

[gremlin () gremlin ru]

On 2015-06-29 23:11:08 -0600, Kurt Seifried wrote:

> So, if a config file is world readable by default, but the section
> where you might put a password says:
> # Database URI for the database that stores the package
> # information. If it contains a password, make sure to
> # adjust the permissions of the config
> Is that good enough, e.g. no CVE, or do we actually need to have
> proper permissions?

For me, that means: the developers did their best, everything else
is up to package maintainers.

And, obviously, when the administrators will fill in the connection
parameters, they most likely will see this warning.

> I'm thinking we need proper permissions and not a note (especially
> with administration tools/etc that may parse/modify the file
> but not change the perms).

My experience says that developers' attempts to perform chmod (or,
even worse, chown) during `make install` are just ugly (at least
they never check whether DESTDIR is empty).


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin <gremlin ПРИ gremlin ТЧК ru>
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8 @ hkp://keys.gnupg.net