Hi Manoj, * Manoj Srivastava <srivasta@acm.org> [2008-06-05 17:34]: > We can add it as a recommendation yes. I would hesitate to make > it stronger until we know the number of packages that would be affected > by this policy change. I currently see no way to determine the number of packages affected by this :/ > Would you care to suggest wording for the policy change, along > with the rationale (perhaps distilled out of Bug#484570)? Steffen Joeris and me created the following proposal: 10.7.6 Secure permissions for configuration files Configuration files including or potentially including user credential data like passwords should have proper permissions to ensure that those can not be abused by other users. Thus the file needs to be installed with the permission bit for other users than the owner set to 0 (e.g. 600 or 640). What do you think? Kind regards Nico -- Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
Attachment:
pgpjJXBq2t8Bt.pgp
Description: PGP signature