Comment 6 for bug 1206254

Revision history for this message
Jeremy Stanley (fungi) wrote :

Agreed--loose permissions on sensitive files are always a risk of some kind. I'm unconvinced that gratuitous read permissions on the CA's serial and index files are really an issue (on a plaintext CA private key this would be another matter entirely).

Additional write permissions on those are of course a concern, if that can result from this bug... are we setting the process umask to something which would permit these files to be created with o+w? This would absolutely be unusual as a default on any platforms I've used, though I suppose g+w is possible (if considerably less exploitable under typical use cases).

I'm mainly just trying to make sure that when we draft an impact description for the advisory, we appropriately characterize the situations under which this bug could be exploitable and what risks it actually presents to an environment.