From: Jan Schreiber Subject: Re: httpd: support encrypted tls server keys To: Christian Schulte , Peter Hessler , tech@openbsd.org Date: Tue, 24 Feb 2026 11:32:38 +0000 On 2/21/26 21:38, Christian Schulte wrote: > Am 21.02.2026 um 14:01 schrieb Stuart Henderson: >> On 2026/02/20 18:47, Peter Hessler wrote: >>> I hate _hate_ _HATE_ the bullshit permissions checking that isn't >>> necessary. >> I totally agree, especially the checks for group-writable in many >> parse.y that make no sense at all... >> > What drew attention to this was someone wanting to add support for > cleartext passwords in httpd.conf. It then turned out relayd.conf may > contain cleartext passwords already, for whatever reason. I strongly > agree that storing cleartext passwords anywhere if avoidable is a bad > idea. There has been a lot of discussion about this at cyrus-sasl@, > where they repeatedly have to explain why there is no way around storing > cleartext passwords for theire use cases. That relayd.conf may contain > cleartext passwords already - for whatever reason - made me report that > bug. Origin of relayd.conf is hoststated.conf introduced by [1] with > mode 0600. Later renamed to relayd.conf in [2] also with mode 0600. > Nothing stops a user from creating those files from scratch, rather than > copying defaults including file permissions and that may lead to > insecure file permissions so at least nanny the user about, or give a > fuck about it. > > 0x02# ls -lah /etc/relayd.conf > ls: /etc/relayd.conf: No such file or directory > 0x02# touch /etc/relayd.conf > 0x02# ls -lah /etc/relayd.conf > -rw-r--r-- 1 root wheel 0B Feb 21 21:23 /etc/relayd.conf > ^^^^^^^^^^ > 0x02# ls -lah /etc/examples/relayd.conf > -rw------- 1 root wheel 2.7K Feb 21 07:06 /etc/examples/relayd.conf > ^^^^^^^^^^ > 0x02# rm /etc/relayd.conf > > > [1] > > [2] > > > Just my 2cents, > ... I'm fine with not supporting this feature in httpd. If I'm not mistaken nginx also does not support plaintext passwords in its config. A consensus about warning the user or generally ignoring it would be good though. Right now it is inconsistent and I can't imagine that being the preferred situation.