From d4092860749a2425a400129cd50cd14d7875c5e2 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 7 Nov 2017 20:30:52 +0000 Subject: [PATCH] apache: Ensure that not everyone can read the keys This would become a security risk if anyone gets shell access as any user to copy out the HTTPS keys. Signed-off-by: Michael Tremer --- config/rootfiles/core/117/filelists/files | 1 + config/rootfiles/core/117/update.sh | 5 +++++ src/initscripts/system/apache | 2 ++ 3 files changed, 8 insertions(+) diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files index a29d9ac38d..d7513c1718 100644 --- a/config/rootfiles/core/117/filelists/files +++ b/config/rootfiles/core/117/filelists/files @@ -1,6 +1,7 @@ etc/system-release etc/issue etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/rc.d/init.d/apache etc/ssl/certs/ca-bundle.crt etc/ssl/certs/ca-bundle.trust.crt opt/pakfire/lib/functions.pl diff --git a/config/rootfiles/core/117/update.sh b/config/rootfiles/core/117/update.sh index 816f7f110f..51f40d99ab 100644 --- a/config/rootfiles/core/117/update.sh +++ b/config/rootfiles/core/117/update.sh @@ -39,6 +39,11 @@ extract_files # update linker config ldconfig +# Make apache keys not readable for everyone +chmod 600 \ + /etc/httpd/server.key \ + /etc/httpd/server-ecdsa.key + # Update Language cache #/usr/local/bin/update-lang-cache diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index 541141e3b1..7d048418b4 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -11,6 +11,7 @@ generate_certificates() { if [ ! -f "/etc/httpd/server.key" ]; then boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + chmod 600 /etc/httpd/server.key evaluate_retval fi @@ -18,6 +19,7 @@ generate_certificates() { boot_mesg "Generating HTTPS ECDSA server key..." openssl ecparam -genkey -name secp384r1 -noout \ -out /etc/httpd/server-ecdsa.key &>/dev/null + chmod 600 /etc/httpd/server-ecdsa.key evaluate_retval fi -- 2.39.2