When installing port net-mgmt/icinga2 and someone intends to use satellites/zones, the icinga feature "API" needs to be enabled and setup. When performing a trivial CLI command sequence "icinga2 api setup", a standard file is installed in the FreeBSD standard installation path called /usr/local/etc/icinga2/conf.d/api-users.conf which has the follwoing access settings: -rw-r--r-- 1 root wheel 281 Aug 22 07:43 api-users.conf So the file, although containing sensitive passwords for the remote API access, has world readability! Changing the access rights with "chmod 600" ends up in a Compile error from icinga2 core, as well as "chmod 640", because icinga2 core is running uid:gid "icinga:icinga". I performed "chown icinga:wheel api-users.conf" and "chmod 600 api-users.conf" to gain maximum protection - not aware of any other implications so far.
Feedback please.
The icinga2 binary itself creates the file when you run "icinga2 api setup". It's up to the upstream developers to change the file permissions.