#77 config file security

[Elan Ruusamäe]

i get such message in logs:

WARNING: file /etc/ddclient/ddclient.conf: file /etc/ddclient/ddclient.conf must be accessible only by its owner.

however, i implement different security than "file can be opened by only owner".

my security is that file is owned by root, but has group readable by ddclient user. this way ddclient user can not modify the file contents or file attributes, but only read. the group ddclient is in, is exclusivly used by that user.

# ls -ld /etc/ddclient /etc/ddclient/ddclient.conf 
drwxr-xr-x 2 root root     4096 sept  23 08:47 /etc/ddclient/
-rw-r----- 1 root ddclient 6529 sept  23 08:47 /etc/ddclient/ddclient.conf

root@rotten-fruit /etc/ddclient# id ddclient
uid=525(ddclient) gid=325(ddclient) groups=325(ddclient)

# grep 325 /etc/group /etc/passwd
/etc/group:ddclient:!:325:
/etc/passwd:ddclient:x:525:325:ddclient user:/var/run/ddclient:/bin/false

please consider such configuration and not to throw the warning. this is imho more secure setup (kind of paranoia), but not everybody probably has such dedicated user where group permission would be permitted.

[Elan Ruusamäe]

ps: sf sucks, i was pretty sure i formatted in code block as it colored so, but now after submit it's broken, and there's no way to modify original ticket. why not move tickets as well to github? i'm sure there's scripts around that can import old sf tickets to github as well. but i can edit my comment, and not original ticket. wtf?!