-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
private keys shouldn't be world-readable #82
Comments
Oh, and by the way, thanks a lot for this great tool - finally a workable secure boot management tool :) |
Yolo, copy-pasted code. Thanks :) |
Interesting, my keys are 600... I wonder when the regression happened. |
I just traversed backwards through But here the initial creation of the files was removed from |
Maybe the code should even check for too permissive file permissions and refuse signing in this case. Like OpenSSH enforces it for private keys. |
I think that's reasonable, but please with better error messages :p |
We can just do an https://github.com/Foxboron/sbctl/blob/master/cmd/sbctl/main.go#L69-L78 |
Fixed with ea325ca |
All key material, including private keys, are created world-readable (
0644
here) at the moment.Exposing this secret key material to unprivileged users and processes poses a security vulnerability.
The text was updated successfully, but these errors were encountered: