Everything is set umask 002 only if a group is specified on the fp_install
command line (i.e. you don't want everything owned by group root). And
they're world-readable because the web server (presumably running as
nobody) has to be able to read them to do HTTP authentication.
The permissions _can_ be succesfully changed. In my case, I used a
Solaris ACL to give the httpd user read permission and set the password
files to 0600, and changed the umask in the fp_install script to be a
little less trusting. YMMV - changing the permissions made it bomb the
first time around, but its working for me now.
Sorry for the false alarm. There are still some very strange things going
on with the default installation scripts' use of permissions and I intend
to review this more thoroughly over the weekend.
-- Dave Pifke, dave@victim.com