/etc/ssl/private has far too permissive permissions by default
Task Info (Flyspray) | |
---|---|
Opened By | Patrick Goetz (pgoetz) |
Task ID | 43059 |
Type | Bug Report |
Project | Arch Linux |
Category | Security |
Version | None |
OS | All |
Opened | 2014-12-09 22:01:17 UTC |
Status | Assigned |
Assignee | Pierre Schmitz (Pierre) |
Assignee | Felix Yan (felixonmars) |
Details
Package: openssl 1.0.1.j-1
Description: The permissions on /etc/ssl/private are far too permissive by default:
# cd /etc/ssl
# ls -l private
drwxr-xr-x 2 root root 4096 Sep 9 05:34 private
This allows anyone with a login to get into the private key folder. If someone messes up the permissions on a key file, the key becomes publicly accessible.
Suggestion: the debian configuration for this is pretty good. First, create an ssl-cert group:
# grep ssl-cert /etc/group
ssl-cert:x:113:postfix,cyrus
Then set the permissions on /etc/ssl/private accordingly:
# cd /etc/ssl
# ls -ld private
drwx--x--- 2 root ssl-cert 4096 Sep 9 05:34 private
As illustrated above, services which need access to the private key store can then be added to the ssl-cert group. Of course the keys will also need to be owned by ssl-cert and group readable.