]> git.ipfire.org Git - ipfire-2.x.git/commitdiff
projects / ipfire-2.x.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b5aca95)
apache: Ensure that not everyone can read the keys
authorMichael Tremer <michael.tremer@ipfire.org>
Tue, 7 Nov 2017 20:30:52 +0000 (20:30 +0000)
committerMichael Tremer <michael.tremer@ipfire.org>
Tue, 28 Nov 2017 14:11:49 +0000 (14:11 +0000)
This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
config/rootfiles/core/117/filelists/files patch | blob | blame | history
config/rootfiles/core/117/update.sh patch | blob | blame | history
src/initscripts/system/apache patch | blob | blame | history

diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files
index a29d9ac38d3e648a25079168a90856684d7038b2..d7513c17180fabadac0b369e6f3ac4608c2969e8 100644 (file)
--- a/config/rootfiles/core/117/filelists/files
+++ b/config/rootfiles/core/117/filelists/files
@@ -1,6 +1,7 @@
 etc/system-release
 etc/issue
 etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
 etc/ssl/certs/ca-bundle.crt
 etc/ssl/certs/ca-bundle.trust.crt
 opt/pakfire/lib/functions.pl
diff --git a/config/rootfiles/core/117/update.sh b/config/rootfiles/core/117/update.sh
index 816f7f110f55925197db93c773d6e4446b2e526f..51f40d99ab0da22d0a33d62e2f1c43bcdc8b2165 100644 (file)
--- a/config/rootfiles/core/117/update.sh
+++ b/config/rootfiles/core/117/update.sh
@@ -39,6 +39,11 @@ extract_files
 # update linker config
 ldconfig
 
+# Make apache keys not readable for everyone
+chmod 600 \
+       /etc/httpd/server.key \
+       /etc/httpd/server-ecdsa.key
+
 # Update Language cache
 #/usr/local/bin/update-lang-cache
 
diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache
index 541141e3b186e1a49cefe453aa68c49c89e4c84c..7d048418b4d16fbf69f6a6c6323b25e0452dd8c9 100644 (file)
--- a/src/initscripts/system/apache
+++ b/src/initscripts/system/apache
@@ -11,6 +11,7 @@ generate_certificates() {
        if [ ! -f "/etc/httpd/server.key" ]; then
                boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
                openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+               chmod 600 /etc/httpd/server.key
                evaluate_retval
        fi
 
@@ -18,6 +19,7 @@ generate_certificates() {
                boot_mesg "Generating HTTPS ECDSA server key..."
                openssl ecparam -genkey -name secp384r1 -noout \
                        -out /etc/httpd/server-ecdsa.key &>/dev/null
+               chmod 600 /etc/httpd/server-ecdsa.key
                evaluate_retval
        fi
 
IPFire 2.x development tree