Subject: Re: /etc/ipsec.conf permissions
To: Curt Sampson <>
From: Jim Bernard <>
List: tech-security
Date: 04/15/2003 12:38:36
On Tue, Apr 15, 2003 at 02:40:06PM +0900, Curt Sampson wrote:
> So our current /etc/mtree/special file says:
> ./etc/ipsec.conf                type=file mode=0644 optional
> If there are actual keys in this file (a bad idea, I know, because you
> should be using racoon, but still), there are two problems here:
> 1. You don't get warned when your keys are world-readable.
> 2. Your keys are mailed out in cleartext, possibly over the Internet,
> depending on where your root mail is forwarded.
> (I found it rather ironic that it was a script named /etc/security that
> exposed my keys to the world.)
> Anyway, if there are no objections, I will change this to:
> ./etc/ipsec.conf                type=file mode=0600 optional tags=nodiff

  Please do.  And afterwards, you can close PR 19246.  Thanks.