apache: Ensure that not everyone can read the keys
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 7 Nov 2017 20:30:52 +0000 (20:30 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 28 Nov 2017 14:11:49 +0000 (14:11 +0000)
This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/rootfiles/core/117/filelists/files
config/rootfiles/core/117/update.sh
src/initscripts/system/apache

index a29d9ac..d7513c1 100644 (file)
@@ -1,6 +1,7 @@
 etc/system-release
 etc/issue
 etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
 etc/ssl/certs/ca-bundle.crt
 etc/ssl/certs/ca-bundle.trust.crt
 opt/pakfire/lib/functions.pl
index 816f7f1..51f40d9 100644 (file)
@@ -39,6 +39,11 @@ extract_files
 # update linker config
 ldconfig
 
+# Make apache keys not readable for everyone
+chmod 600 \
+       /etc/httpd/server.key \
+       /etc/httpd/server-ecdsa.key
+
 # Update Language cache
 #/usr/local/bin/update-lang-cache
 
index 541141e..7d04841 100644 (file)
@@ -11,6 +11,7 @@ generate_certificates() {
        if [ ! -f "/etc/httpd/server.key" ]; then
                boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
                openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+               chmod 600 /etc/httpd/server.key
                evaluate_retval
        fi
 
@@ -18,6 +19,7 @@ generate_certificates() {
                boot_mesg "Generating HTTPS ECDSA server key..."
                openssl ecparam -genkey -name secp384r1 -noout \
                        -out /etc/httpd/server-ecdsa.key &>/dev/null
+               chmod 600 /etc/httpd/server-ecdsa.key
                evaluate_retval
        fi