/etc/ssl/private has far too permissive permissions by default
| Task Info (Flyspray) | |
|---|---|
| Opened By | Patrick Goetz (pgoetz) |
| Task ID | 43059 |
| Type | Bug Report |
| Project | Arch Linux |
| Category | Security |
| Version | None |
| OS | All |
| Opened | 2014-12-09 22:01:17 UTC |
| Status | Assigned |
| Assignee | Pierre Schmitz (Pierre) |
| Assignee | Felix Yan (felixonmars) |
Details
Package: openssl 1.0.1.j-1
Description: The permissions on /etc/ssl/private are far too permissive by default:
# cd /etc/ssl
# ls -l private
drwxr-xr-x 2 root root 4096 Sep 9 05:34 privateThis allows anyone with a login to get into the private key folder. If someone messes up the permissions on a key file, the key becomes publicly accessible.
Suggestion: the debian configuration for this is pretty good. First, create an ssl-cert group:
# grep ssl-cert /etc/group
ssl-cert:x:113:postfix,cyrusThen set the permissions on /etc/ssl/private accordingly:
# cd /etc/ssl
# ls -ld private
drwx--x--- 2 root ssl-cert 4096 Sep 9 05:34 privateAs illustrated above, services which need access to the private key store can then be added to the ssl-cert group. Of course the keys will also need to be owned by ssl-cert and group readable.