From 63f73e06d5ce1475c671ba69817f5f1404691188 Mon Sep 17 00:00:00 2001 From: Craig Jennings Date: Wed, 8 Jul 2026 13:09:54 -0500 Subject: fix(maint): uncurate /etc/ssl/private — it was a real misconfig MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit pacman warned filesystem 755 vs package 700 on both hosts: a world-listable private-key directory, not runtime hardening as the previous commit claimed. pacman never resets existing directory permissions, so I chmod'd 700 on ratio and velox and removed the curation entry. Integrity reads an honest zero on both. --- configs/maintenance-thresholds.toml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'configs/maintenance-thresholds.toml') diff --git a/configs/maintenance-thresholds.toml b/configs/maintenance-thresholds.toml index b522f88..c14eaec 100644 --- a/configs/maintenance-thresholds.toml +++ b/configs/maintenance-thresholds.toml @@ -180,7 +180,9 @@ entries = [ "/etc/cups/subscriptions.conf", "/var/lib/passim*", # StateDirectory re-chowns "/var/log/journal", # tmpfiles re-groups - "/etc/ssl/private", # hardened below packaged mode + # /etc/ssl/private deliberately NOT here: both hosts had it world-listable + # (755 vs packaged 700) — a real misconfig the metric caught. pacman warns + # but never resets existing dir perms; fixed by chmod 2026-07-08. "/usr/lib/utempter/utempter", # setgid-helper ownership; # NOTE: also silences a # content change on this -- cgit v1.2.3