Erik Espinoza wrote: > I'll answer this one with a "not sure". I don't remember this question > being asked. Since all of my toasters have no users on them, I never > really thought about it.
I don't have any users either (as I imagine is the case with most toasters), so it's not a gaping hole. I just like seeing holes (however little) plugged up. > Maybe Nick will have some insight, as I have no clue. > > Erik > > On 1/18/07, Eric Shubes <[EMAIL PROTECTED]> wrote: >> EE (or anyone), >> >> Any word about this? Seems to me that servercert.pem shouldn't be world >> readable since it contains the private (signing) key and all parent >> directories are world readable. (I seem to remember EE answering this, >> but >> can't find nor remember the answer) >> >> Also, I came across this at >> http://qmail.jms1.net/scripts/qfixpermissions: >> >> # some broken install guides (i.e. qmailrocks) tell you to create >> # servercert.pem and clientcert.pem as a single file, with one as a >> symbolic >> # link to the other. this is wrong, since qmail-smtpd and qmail-remote >> (the >> # two programs which need to read these files) run as different >> userids and >> # different group ids. the only way that a symbolic link scenario will >> work >> # is if the file is readable to every userid on the system- and this is a >> # major security hole, since the file contains the secret key for >> encrypting >> # your SMTP sessions, both incoming and outgoing. >> >> How is the toaster handling this? I can't figure out how/why the toaster >> seems to work with clientcert.pem symlinked. >> >> Eric "Shubes" wrote: >> > I just configured SSL on my server, and noticed what I think is a >> bit of a >> > security risk. >> > >> > All of the *.pem files are readable by any account, e.g.: >> > lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem -> >> servercert.pem >> > -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem >> > >> > Isn't this a bad idea, given that this file in particular contains a >> private >> > key? >> > >> > To fix it, I did: >> > # cd /var/qmail/control >> > # chgrp vchkpw *.pem >> > # chmod o-r *.pem >> > # rm -f clientcert.pem >> > # cp -p servercert.pem clientcert.pem >> > # chgrp qmail clientcert.pem >> > >> > Is this a non issue, or should it be changed in the basic toaster? >> -- -Eric 'shubes' --------------------------------------------------------------------- QmailToaster hosted by: VR Hosted <http://www.vr.org> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
