[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#779708: Client for updating dynamic hostname mappings for dy.fi

First of, thank you very much for review!

On Thu, Mar 26, 2015 at 7:48 PM, Timo Juhani Lindfors
<timo.lindfors@iki.fi> wrote:
> Eugene Zhukov <jevgeni.zh@gmail.com> writes:
>> Would anyone be interested in sponsoring its client package:
>> https://bugs.debian.org/780096
>
> Some comments:
>
> 1) does dy.fi really require you to send the password in an unencrypted
> HTTP request?
>
Yes, that's upstream implementation (a very old one though).

> 2) Does the service really need to run as root?
>
No, and this is even mentioned in upstream readme. It needs to create
a pid file though. Any hint/pointer on how to change the packaging to
not run it as root?

> 3) Doesn't
>
> db_get dyfi/password
> sed -i "s/^Password.*/Password $RET/" /etc/dyfi-update.conf
>
> in debian/postinst let all local users to see the password if they type
> "ps axuf" at the right moment?
Probably, but do I need to care about that? The targeted audience of
the service is home or small office I assume.
Thanks for looking at this from the security perspective!

Eugene
Reply to: