powered by Jive Software

Wrong file permissions in .deb

The current openfire .deb has wrong file permissions for at least /etc/openfire/openfire.xml … it’s 644 and therefore allows reading by every user. But this config file contains passwords in plain text so it should be 600.

Hrm. It shouldn’t be doing that anymore. I explicitly fixed that in a recent release. Set in postinstall. Maybe it does not trigger if you are simply doing an upgrade? (in fact it may not touch permissions at all with an upgrade) So was this a fresh install or an upgrade?

This was a fresh install… previously I had a manual install of the tar archive in /opt so /etc/openfire and its content should be new I think…

Huh. I wonder if I’m misunderstanding when the postinstall gets triggered. What distribution/version? (clearly a Debian based one I would assume ;D )

I’m using Ubuntu 6.06 with latest updates

The log files in /var/log/openfire have o+r permissions too. But they are created after postinst by openfire…

I don’t care much if the files inside the directory are o+r so long as their parent directory is not world readable. =)

The permissions setup is handled by the configure step. I assume that occurs during install unless specifically told not to. I suppose you could also manually run the configure step, but it certainly shouldn’t be doing that. I did install it on my debian 4.0 dev system and it set up the permissions properly so … i’m perplexed.

The issues with the logfiles are known (or should be). I think there was an issue created somewhere in the bugtrackthingy.

A fresh install of 3.4.5 .deb on a fresh Ubuntu 7.10 creates a /etc/openfire/openfire.xml with rw for user and r for group. Nothing else. At least over here.

@jadestorm

by any chance…could you check on

http://www.igniterealtime.org/community/thread/31179?tstart=0

and

http://www.igniterealtime.org/community/thread/31199?tstart=0

?

I would be fine with a “stop nagging me with your **** problem noone else has anyway” :stuck_out_tongue: Thats still better than absolutely no reaction.

I can’t reproduce it either with a local 7.10 installation

Hrm. Anyone know if the configure step is a “new thing”? How old is 6.06?

No.2, the log permissions were fixed by setting the parent directory to not allow the world in. Didn’t see the point in working out the logistics of making the files themselves not have world read if I could avoid it with the parent directory.

Jepp I haven’t checked for permissions of the logs anymore as I changed them manually.

6.06 should have been released June 2006.

Thank you for the reply to the other two topics