Am 06.02.2014 09:29, schrieb Phil: > On 6/02/2014 6:23 PM, Steffen Kaiser wrote: >> You show us the symbolic link, which has all Unix permissions usually. The >> interessting file is the final target, >> e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, >> and the permissions of all directories >> to it. >> >> For instance, Debian uses the perms for the private dir: >> >> drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/ >> >> I think it looks the same on your Ubuntu machine. So add >> the Dovecot user to group ssl-cert to let it enter the directory >> at all. The Snakeoil key is usually group-readable for ssl-cert, too. >> So no change of permissions necessary there as well. > > I did this and my perms look like thus now: > > total 8 > -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem > -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key > lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> > /etc/ssl/priv ate/ssl-cert-snakeoil.key
for the sake of correctness: * the server process owning config files is generally bad * ssl-certs are opened with root permissions at startup * that is why chmod 0400 and owner/group root are the recommended perms for certificates * the same for Apache httpd and Postfix * only Apache Trafficserver opens certs as ats-user (fow now) the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders
signature.asc
Description: OpenPGP digital signature
