Subject: Re: /etc/ipsec.conf permissions
To: Curt Sampson <cjs@cynic.net>
From: Luke Mewburn <lukem@netbsd.org>
List: tech-security
Date: 04/15/2003 15:57:51
On Tue, Apr 15, 2003 at 02:40:06PM +0900, Curt Sampson wrote:
  | So our current /etc/mtree/special file says:
  | 
  | ./etc/ipsec.conf                type=file mode=0644 optional
  | 
  | If there are actual keys in this file (a bad idea, I know, because you
  | should be using racoon, but still), there are two problems here:
  | 
  | 1. You don't get warned when your keys are world-readable.
  | 
  | 2. Your keys are mailed out in cleartext, possibly over the Internet,
  | depending on where your root mail is forwarded.
  | 
  | (I found it rather ironic that it was a script named /etc/security that
  | exposed my keys to the world.)
  | 
  | Anyway, if there are no objections, I will change this to:
  | 
  | ./etc/ipsec.conf                type=file mode=0600 optional tags=nodiff

That is a good idea.

Should we also consider adding
    ./etc/racoon		type=dir  mode=0755 optional
    ./etc/racoon/racoon.conf	type=file mode=0644 optional
    ./etc/racoon/psk.txt	type=file mode=0600 optional tags=nodiff
whilst we're there.

I'm not sure if racoon.conf should be "mode=0644", or "mode=0600 tags=nodiff"

Luke.