Matt Zimmerman wrote: > I think it is not helpful to restrict read permission on these files. > Module local modifications, anyone can get a copy from the Debian archive, > so their contents are not secret. The same justification applies as for not > restricting permissions on setuid executables, as documented in the policy > manual. But this is different from suid executables or game data files because these are conffiles that the admin is encouraged to edit when needed. The scenario I thought up is as follows: The admin wants to make a local modification to one or more files. Say he is adding some rules to ignore, so this has some security implications if an attacker can work out what change he made. An attacker might try to look at the files, and see if a message will be ignored. So he could make them 600. A very determined attacker could cross-reference the installed version of a package with a database of file sizes and figure out if a file has had rules added to it, but this is not likely to be too useful. If he was very paranoid though, he could make the whole directory 700 and avoid this. The tradoff with making the directory 700 by default is that it makes life harder for the admin when he's not root. Pretty minor but so is the advantage to 700 of the time. For mode 600 files the disadvantage is that the admin can more easily leak evidence by default (backup files, bad umask, bad editor, whatever), and that it's still not 100% approachable as a regular user. Which of the three is a good default I don't know. Maybe it doesn't matter beyond that we need _a_ default so the admin has a consistent starting place from which to determine his own policy. > I think the files should be 644, directories 755 (currently the directories > are unreadable as well, which is quite inconvenient). IIRC the directories are only unreadable on older installs, or perhaps on installs that had a certian package installed first. It's fairly random. -- see shy jo
Attachment:
pgprcqGaS4jrD.pgp
Description: PGP signature