Wrong file permissions in .deb

Nico · February 11, 2008, 7:07pm

The current openfire .deb has wrong file permissions for at least /etc/openfire/openfire.xml … it’s 644 and therefore allows reading by every user. But this config file contains passwords in plain text so it should be 600.

Daniel_Henninger · February 12, 2008, 4:21am

Hrm. It shouldn’t be doing that anymore. I explicitly fixed that in a recent release. Set in postinstall. Maybe it does not trigger if you are simply doing an upgrade? (in fact it may not touch permissions at all with an upgrade) So was this a fresh install or an upgrade?

Nico · February 12, 2008, 8:09am

This was a fresh install… previously I had a manual install of the tar archive in /opt so /etc/openfire and its content should be new I think…

Daniel_Henninger · February 12, 2008, 2:47pm

Huh. I wonder if I’m misunderstanding when the postinstall gets triggered. What distribution/version? (clearly a Debian based one I would assume ;D )

Nico · February 12, 2008, 3:41pm

I’m using Ubuntu 6.06 with latest updates

Nico · February 12, 2008, 4:30pm

The log files in /var/log/openfire have o+r permissions too. But they are created after postinst by openfire…

Daniel_Henninger · February 12, 2008, 4:44pm

I don’t care much if the files inside the directory are o+r so long as their parent directory is not world readable. =)

The permissions setup is handled by the configure step. I assume that occurs during install unless specifically told not to. I suppose you could also manually run the configure step, but it certainly shouldn’t be doing that. I did install it on my debian 4.0 dev system and it set up the permissions properly so … i’m perplexed.

Jonas · February 12, 2008, 4:58pm

The issues with the logfiles are known (or should be). I think there was an issue created somewhere in the bugtrackthingy.

A fresh install of 3.4.5 .deb on a fresh Ubuntu 7.10 creates a /etc/openfire/openfire.xml with rw for user and r for group. Nothing else. At least over here.

@jadestorm

by any chance…could you check on

http://www.igniterealtime.org/community/thread/31179?tstart=0

and

http://www.igniterealtime.org/community/thread/31199?tstart=0

?

I would be fine with a “stop nagging me with your **** problem noone else has anyway” Thats still better than absolutely no reaction.

Nico · February 12, 2008, 5:00pm

I can’t reproduce it either with a local 7.10 installation

Daniel_Henninger · February 12, 2008, 5:27pm

Hrm. Anyone know if the configure step is a “new thing”? How old is 6.06?

No.2, the log permissions were fixed by setting the parent directory to not allow the world in. Didn’t see the point in working out the logistics of making the files themselves not have world read if I could avoid it with the parent directory.

Jonas · February 13, 2008, 9:16am

Jepp I haven’t checked for permissions of the logs anymore as I changed them manually.

6.06 should have been released June 2006.

Thank you for the reply to the other two topics