Subject: /etc/ipsec.conf permissions
To: None <>
From: Curt Sampson <>
List: tech-security
Date: 04/15/2003 14:40:06
So our current /etc/mtree/special file says:

./etc/ipsec.conf                type=file mode=0644 optional

If there are actual keys in this file (a bad idea, I know, because you
should be using racoon, but still), there are two problems here:

1. You don't get warned when your keys are world-readable.

2. Your keys are mailed out in cleartext, possibly over the Internet,
depending on where your root mail is forwarded.

(I found it rather ironic that it was a script named /etc/security that
exposed my keys to the world.)

Anyway, if there are no objections, I will change this to:

./etc/ipsec.conf                type=file mode=0600 optional tags=nodiff

Curt Sampson  <>   +81 90 7737 2974
    Don't you know, in this new Dark Age, we're all light.  --XTC