Subject: Re: /etc/ipsec.conf permissions
To: Curt Sampson <firstname.lastname@example.org>
From: Luke Mewburn <email@example.com>
Date: 04/15/2003 15:57:51
On Tue, Apr 15, 2003 at 02:40:06PM +0900, Curt Sampson wrote:
| So our current /etc/mtree/special file says:
| ./etc/ipsec.conf type=file mode=0644 optional
| If there are actual keys in this file (a bad idea, I know, because you
| should be using racoon, but still), there are two problems here:
| 1. You don't get warned when your keys are world-readable.
| 2. Your keys are mailed out in cleartext, possibly over the Internet,
| depending on where your root mail is forwarded.
| (I found it rather ironic that it was a script named /etc/security that
| exposed my keys to the world.)
| Anyway, if there are no objections, I will change this to:
| ./etc/ipsec.conf type=file mode=0600 optional tags=nodiff
That is a good idea.
Should we also consider adding
./etc/racoon type=dir mode=0755 optional
./etc/racoon/racoon.conf type=file mode=0644 optional
./etc/racoon/psk.txt type=file mode=0600 optional tags=nodiff
whilst we're there.
I'm not sure if racoon.conf should be "mode=0644", or "mode=0600 tags=nodiff"