Re: [qmailtoaster] *.pem security issue
EE (or anyone), Any word about this? Seems to me that servercert.pem shouldn't be world readable since it contains the private (signing) key and all parent directories are world readable. (I seem to remember EE answering this, but can't find nor remember the answer) Also, I came across this at http://qmail.jms1.net/scripts/qfixpermissions: # some broken install guides (i.e. qmailrocks) tell you to create # servercert.pem and clientcert.pem as a single file, with one as a symbolic # link to the other. this is wrong, since qmail-smtpd and qmail-remote (the # two programs which need to read these files) run as different userids and # different group ids. the only way that a symbolic link scenario will work # is if the file is readable to every userid on the system- and this is a # major security hole, since the file contains the secret key for encrypting # your SMTP sessions, both incoming and outgoing. How is the toaster handling this? I can't figure out how/why the toaster seems to work with clientcert.pem symlinked. Eric Shubes wrote: I just configured SSL on my server, and noticed what I think is a bit of a security risk. All of the *.pem files are readable by any account, e.g.: lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem - servercert.pem -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem Isn't this a bad idea, given that this file in particular contains a private key? To fix it, I did: # cd /var/qmail/control # chgrp vchkpw *.pem # chmod o-r *.pem # rm -f clientcert.pem # cp -p servercert.pem clientcert.pem # chgrp qmail clientcert.pem Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] *.pem security issue
I'll answer this one with a not sure. I don't remember this question being asked. Since all of my toasters have no users on them, I never really thought about it. Maybe Nick will have some insight, as I have no clue. Erik On 1/18/07, Eric Shubes [EMAIL PROTECTED] wrote: EE (or anyone), Any word about this? Seems to me that servercert.pem shouldn't be world readable since it contains the private (signing) key and all parent directories are world readable. (I seem to remember EE answering this, but can't find nor remember the answer) Also, I came across this at http://qmail.jms1.net/scripts/qfixpermissions: # some broken install guides (i.e. qmailrocks) tell you to create # servercert.pem and clientcert.pem as a single file, with one as a symbolic # link to the other. this is wrong, since qmail-smtpd and qmail-remote (the # two programs which need to read these files) run as different userids and # different group ids. the only way that a symbolic link scenario will work # is if the file is readable to every userid on the system- and this is a # major security hole, since the file contains the secret key for encrypting # your SMTP sessions, both incoming and outgoing. How is the toaster handling this? I can't figure out how/why the toaster seems to work with clientcert.pem symlinked. Eric Shubes wrote: I just configured SSL on my server, and noticed what I think is a bit of a security risk. All of the *.pem files are readable by any account, e.g.: lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem - servercert.pem -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem Isn't this a bad idea, given that this file in particular contains a private key? To fix it, I did: # cd /var/qmail/control # chgrp vchkpw *.pem # chmod o-r *.pem # rm -f clientcert.pem # cp -p servercert.pem clientcert.pem # chgrp qmail clientcert.pem Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] *.pem security issue
Erik Espinoza wrote: I'll answer this one with a not sure. I don't remember this question being asked. Since all of my toasters have no users on them, I never really thought about it. I don't have any users either (as I imagine is the case with most toasters), so it's not a gaping hole. I just like seeing holes (however little) plugged up. Maybe Nick will have some insight, as I have no clue. Erik On 1/18/07, Eric Shubes [EMAIL PROTECTED] wrote: EE (or anyone), Any word about this? Seems to me that servercert.pem shouldn't be world readable since it contains the private (signing) key and all parent directories are world readable. (I seem to remember EE answering this, but can't find nor remember the answer) Also, I came across this at http://qmail.jms1.net/scripts/qfixpermissions: # some broken install guides (i.e. qmailrocks) tell you to create # servercert.pem and clientcert.pem as a single file, with one as a symbolic # link to the other. this is wrong, since qmail-smtpd and qmail-remote (the # two programs which need to read these files) run as different userids and # different group ids. the only way that a symbolic link scenario will work # is if the file is readable to every userid on the system- and this is a # major security hole, since the file contains the secret key for encrypting # your SMTP sessions, both incoming and outgoing. How is the toaster handling this? I can't figure out how/why the toaster seems to work with clientcert.pem symlinked. Eric Shubes wrote: I just configured SSL on my server, and noticed what I think is a bit of a security risk. All of the *.pem files are readable by any account, e.g.: lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem - servercert.pem -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem Isn't this a bad idea, given that this file in particular contains a private key? To fix it, I did: # cd /var/qmail/control # chgrp vchkpw *.pem # chmod o-r *.pem # rm -f clientcert.pem # cp -p servercert.pem clientcert.pem # chgrp qmail clientcert.pem Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [qmailtoaster] *.pem security issue
Agreed, it's why I asked for Nick's input. Thanks, Erik On 1/18/07, Eric Shubes [EMAIL PROTECTED] wrote: Erik Espinoza wrote: I'll answer this one with a not sure. I don't remember this question being asked. Since all of my toasters have no users on them, I never really thought about it. I don't have any users either (as I imagine is the case with most toasters), so it's not a gaping hole. I just like seeing holes (however little) plugged up. Maybe Nick will have some insight, as I have no clue. Erik On 1/18/07, Eric Shubes [EMAIL PROTECTED] wrote: EE (or anyone), Any word about this? Seems to me that servercert.pem shouldn't be world readable since it contains the private (signing) key and all parent directories are world readable. (I seem to remember EE answering this, but can't find nor remember the answer) Also, I came across this at http://qmail.jms1.net/scripts/qfixpermissions: # some broken install guides (i.e. qmailrocks) tell you to create # servercert.pem and clientcert.pem as a single file, with one as a symbolic # link to the other. this is wrong, since qmail-smtpd and qmail-remote (the # two programs which need to read these files) run as different userids and # different group ids. the only way that a symbolic link scenario will work # is if the file is readable to every userid on the system- and this is a # major security hole, since the file contains the secret key for encrypting # your SMTP sessions, both incoming and outgoing. How is the toaster handling this? I can't figure out how/why the toaster seems to work with clientcert.pem symlinked. Eric Shubes wrote: I just configured SSL on my server, and noticed what I think is a bit of a security risk. All of the *.pem files are readable by any account, e.g.: lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem - servercert.pem -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem Isn't this a bad idea, given that this file in particular contains a private key? To fix it, I did: # cd /var/qmail/control # chgrp vchkpw *.pem # chmod o-r *.pem # rm -f clientcert.pem # cp -p servercert.pem clientcert.pem # chgrp qmail clientcert.pem Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[qmailtoaster] *.pem security issue
I just configured SSL on my server, and noticed what I think is a bit of a security risk. All of the *.pem files are readable by any account, e.g.: lrwxrwxrwx 1 root qmail 14 Sep 10 10:08 clientcert.pem - servercert.pem -rw-r--r-- 1 root qmail 1693 Jun 21 08:21 servercert.pem Isn't this a bad idea, given that this file in particular contains a private key? To fix it, I did: # cd /var/qmail/control # chgrp vchkpw *.pem # chmod o-r *.pem # rm -f clientcert.pem # cp -p servercert.pem clientcert.pem # chgrp qmail clientcert.pem Is this a non issue, or should it be changed in the basic toaster? -- -Eric 'shubes' - QmailToaster hosted by: VR Hosted http://www.vr.org - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]