Tom,
* Tom Lane (tgl@sss.pgh.pa.us) wrote:
> Now, I have heard it argued that the OpenSSH/L authors are a bunch of
> idiots who know nothing about security. But it's not like insisting
> on restrictive permissions on key files is something we invented out
> of the blue. It's pretty standard practice, AFAICT.
I certainly was not intending to imply that anyone was an 'idiot'.
Nor am I arguing that we must remove all such checks from every part of
the system.
I do contend that relying on such checks that happen on a relativly
infrequent basis in daemon processes creates a false sense of security
and does not practically improve security, today. As I mentioned
previously, perhaps before distributions were as cognizant about
security concerns or about considering how a particular daemon should
be set up, or when users were still frequently installing from source,
such checks were more valuable. However, when they get in the way of
entirely reasonable system policies and require distributions to patch
the source code, they're a problem. That doesn't mean we necessairly
have to remove them, but we should be flexible.
Similar checks in client utilities, such as the ssh example, or in psql,
are more useful and, from a practical standpoint, havn't been an issue
for system policies.
Further, we do more than check key files but also check permissions on
the data directory and don't provide any way for users to configure the
permissions on new files, which could be seen as akin to sshd requiring
user home directories to be 700 and forcing umask to 077.
Note that all of this only actually applies to OpenSSH, not to OpenSSL.
Certainly, as evidenced by the question which sparked this discussion,
the packages which are configured to use the local snakeoil cert on
Debian-based systems (which also includes postfix and Apache, offhand)
do not have a problem with the group read permissions that are being
asked for. I don't find that to be offensive or unacceptable in the
least, nor do I feel that Debian is flawed for taking this approach, or
that OpenSSL is flawed for not having such a check.
Thanks!
Stephen