Am 21.02.2026 um 14:01 schrieb Stuart Henderson:
> On 2026/02/20 18:47, Peter Hessler wrote:
>> I hate _hate_ _HATE_ the bullshit permissions checking that isn't
>> necessary.
> 
> I totally agree, especially the checks for group-writable in many
> parse.y that make no sense at all...
> 

What drew attention to this was someone wanting to add support for
cleartext passwords in httpd.conf. It then turned out relayd.conf may
contain cleartext passwords already, for whatever reason. I strongly
agree that storing cleartext passwords anywhere if avoidable is a bad
idea. There has been a lot of discussion about this at cyrus-sasl@,
where they repeatedly have to explain why there is no way around storing
cleartext passwords for theire use cases. That relayd.conf may contain
cleartext passwords already - for whatever reason - made me report that
bug. Origin of relayd.conf is hoststated.conf introduced by [1] with
mode 0600. Later renamed to relayd.conf in [2] also with mode 0600.
Nothing stops a user from creating those files from scratch, rather than
copying defaults including file permissions and that may lead to
insecure file permissions so at least nanny the user about, or give a
fuck about it.

0x02# ls -lah /etc/relayd.conf
ls: /etc/relayd.conf: No such file or directory
0x02# touch /etc/relayd.conf
0x02# ls -lah /etc/relayd.conf
-rw-r--r--  1 root  wheel     0B Feb 21 21:23 /etc/relayd.conf
^^^^^^^^^^
0x02# ls -lah /etc/examples/relayd.conf
-rw-------  1 root  wheel   2.7K Feb 21 07:06 /etc/examples/relayd.conf
^^^^^^^^^^
0x02# rm /etc/relayd.conf


[1]
<https://github.com/openbsd/src/commit/201b0bc9bbc9ea830726e19ed78b51c15b81e21f>
[2]
<https://github.com/openbsd/src/commit/4d9c5f5b4438cf3c709db52ab5dab3e752a22ed2>

Just my 2cents,
...