EE (or anyone), Any word about this? Seems to me that servercert.pem shouldn't be world readable since it contains the private (signing) key and all parent directories are world readable. (I seem to remember EE answering this, but can't find nor remember the answer)
Also, I came across this at http://qmail.jms1.net/scripts/qfixpermissions: # some broken install guides (i.e. qmailrocks) tell you to create # servercert.pem and clientcert.pem as a single file, with one as a symbolic # link to the other. this is wrong, since qmail-smtpd and qmail-remote (the # two programs which need to read these files) run as different userids and # different group ids. the only way that a symbolic link scenario will work # is if the file is readable to every userid on the system- and this is a # major security hole, since the file contains the secret key for encrypting # your SMTP sessions, both incoming and outgoing. How is the toaster handling this? I can't figure out how/why the toaster seems to work with clientcert.pem symlinked. Eric "Shubes" wrote: > I just configured SSL on my server, and noticed what I think is a bit of a > security risk. > > All of the *.pem files are readable by any account, e.g.: > lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem -> servercert.pem > -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem > > Isn't this a bad idea, given that this file in particular contains a private > key? > > To fix it, I did: > # cd /var/qmail/control > # chgrp vchkpw *.pem > # chmod o-r *.pem > # rm -f clientcert.pem > # cp -p servercert.pem clientcert.pem > # chgrp qmail clientcert.pem > > Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
