Subject: Re: /etc/ipsec.conf permissions
To: Curt Sampson <cjs@cynic.net>
From: Jim Bernard <jbernard@mines.edu>
List: tech-security
Date: 04/15/2003 12:38:36
On Tue, Apr 15, 2003 at 02:40:06PM +0900, Curt Sampson wrote:
> So our current /etc/mtree/special file says:
>
> ./etc/ipsec.conf type=file mode=0644 optional
>
> If there are actual keys in this file (a bad idea, I know, because you
> should be using racoon, but still), there are two problems here:
>
> 1. You don't get warned when your keys are world-readable.
>
> 2. Your keys are mailed out in cleartext, possibly over the Internet,
> depending on where your root mail is forwarded.
>
> (I found it rather ironic that it was a script named /etc/security that
> exposed my keys to the world.)
>
> Anyway, if there are no objections, I will change this to:
>
> ./etc/ipsec.conf type=file mode=0600 optional tags=nodiff
Please do. And afterwards, you can close PR 19246. Thanks.