From: Michael Tremer Date: Tue, 7 Nov 2017 20:30:52 +0000 (+0000) Subject: apache: Ensure that not everyone can read the keys X-Git-Tag: v2.19-core117~1^2~58 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d4092860749a2425a400129cd50cd14d7875c5e2;p=ipfire-2.x.git apache: Ensure that not everyone can read the keys This would become a security risk if anyone gets shell access as any user to copy out the HTTPS keys. Signed-off-by: Michael Tremer --- diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files index a29d9ac38d..d7513c1718 100644 --- a/config/rootfiles/core/117/filelists/files +++ b/config/rootfiles/core/117/filelists/files @@ -1,6 +1,7 @@ etc/system-release etc/issue etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/rc.d/init.d/apache etc/ssl/certs/ca-bundle.crt etc/ssl/certs/ca-bundle.trust.crt opt/pakfire/lib/functions.pl diff --git a/config/rootfiles/core/117/update.sh b/config/rootfiles/core/117/update.sh index 816f7f110f..51f40d99ab 100644 --- a/config/rootfiles/core/117/update.sh +++ b/config/rootfiles/core/117/update.sh @@ -39,6 +39,11 @@ extract_files # update linker config ldconfig +# Make apache keys not readable for everyone +chmod 600 \ + /etc/httpd/server.key \ + /etc/httpd/server-ecdsa.key + # Update Language cache #/usr/local/bin/update-lang-cache diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index 541141e3b1..7d048418b4 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -11,6 +11,7 @@ generate_certificates() { if [ ! -f "/etc/httpd/server.key" ]; then boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + chmod 600 /etc/httpd/server.key evaluate_retval fi @@ -18,6 +19,7 @@ generate_certificates() { boot_mesg "Generating HTTPS ECDSA server key..." openssl ecparam -genkey -name secp384r1 -noout \ -out /etc/httpd/server-ecdsa.key &>/dev/null + chmod 600 /etc/httpd/server-ecdsa.key evaluate_retval fi