Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
what permissions for ssl
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
javeree
Guru
Guru


Joined: 29 Jan 2006
Posts: 339

PostPosted: Wed Feb 19, 2014 1:15 pm    Post subject: what permissions for ssl Reply with quote

Yesterday, for the first time, I installed ssl keys and am using it now to provide https and imaps access.
However, since then, when I logon as a standard user, I get the following
Quote:
* keychain 2.7.1 ~ http://www.funtoo.org
* Found existing ssh-agent: 6091
Auto configuration failed
3073595016:error:0200100D:system library:fopen:Permission denied:bss_file.c:169:fopen('/etc/ssl/openssl.cnf','rb')
3073595016:error:2006D002:BIO routines:BIO_new_file:system lib:bss_file.c:174:
3073595016:error:0E078002:configuration file routines:DEF_LOAD:system lib:conf_def.c:199:


I don't know why or how keychain tries to access '/etc/ssl/openssl.cnf', but the problem with the permission denied is:
drwx------ 5 root root 4096 18 feb 17:41 /etc/ssl

I could chmod 744 /etc/ssl, but that would mean anyone can then access /etc/ssl, including the keys within. At best I could limt it to a certain group of users (but in practice it would result in all 'standard' users).

Since I have just followed a few recipes to create the keys, I have limited understanding of what each file is. I wanted to know what files I can leave world readable and which ones must be root only

At this moment I have (ls -l /etc/ssl/*)
Quote:
-rw-r--r-- 1 root root 2325 17 feb 12:59 /etc/ssl/cacert.pem
-rw-r--r-- 1 root root 173 17 feb 17:28 /etc/ssl/certindex.txt
-rw-r--r-- 1 root root 21 17 feb 17:28 /etc/ssl/certindex.txt.attr
-rw-r--r-- 1 root root 21 17 feb 15:45 /etc/ssl/certindex.txt.attr.old
-rw-r--r-- 1 root root 85 17 feb 15:45 /etc/ssl/certindex.txt.old
-rw-r--r-- 1 root root 6677 17 feb 15:45 /etc/ssl/domain-cert.pem
-rw-r--r-- 1 root root 1825 17 feb 13:00 /etc/ssl/domain-req.pem
-rw-r--r-- 1 root root 6684 17 feb 17:28 /etc/ssl/dovecot-cert.pem
-rw-r--r-- 1 root root 1830 17 feb 17:28 /etc/ssl/dovecot-req.pem
-rw-r--r-- 1 root root 1990 17 feb 15:44 /etc/ssl/openssl.cnf
-rw-r--r-- 1 root root 7 17 feb 17:28 /etc/ssl/serial
-rw-r--r-- 1 root root 7 17 feb 15:45 /etc/ssl/serial.old

/etc/ssl/certs:
total 16
-rw-r--r-- 1 root root 6677 17 feb 15:45 100001.pem
-rw-r--r-- 1 root root 6684 17 feb 17:28 100002.pem

/etc/ssl/dovecot:
total 16
-r--r--r-- 1 root root 1046 18 feb 17:41 server.crt
-r--r--r-- 1 root root 749 18 feb 17:41 server.csr
-r-------- 1 root root 891 18 feb 17:41 server.key
-r-------- 1 root root 1938 18 feb 17:41 server.pem

/etc/ssl/private:
total 12
-rw-r--r-- 1 root root 3394 17 feb 12:59 cakey.pem
-rw------- 1 root root 3272 17 feb 13:00 domain-key.pem
-rw-r--r-- 1 root root 3272 17 feb 17:28 dovecot-key.pem


I assume that it is sufficient to
chmod 700 /etc/ssl/private/* but don't know about the other files.

FYI, the 'recipe' used was
Quote:
SSLDIR="/etc/ssl"
mkdir "$SSLDIR"
chmod 0700 "$SSLDIR"
echo '100001' >serial
touch certindex.txt
--> Edit /etc/ssl/openssl.cnf
cd "$SSLDIR"
openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem -out cacert.pem -days 3650 -config ./openssl.cnf
openssl req -new -nodes -out domain-req.pem -keyout private/domain-key.pem -config ./openssl.cnf
openssl ca -out domain-cert.pem -config ./openssl.cnf -infiles domain-req.pem
openssl req -new -nodes -out dovecot-req.pem -keyout private/dovecot-key.pem -config ./openssl.cnf
openssl ca -out dovecot-cert.pem -config ./openssl.cnf -infiles dovecot-req.pem


I believe the /etc/ssl/dovecot directory is the result of an earlier attempt. Should I be able to delete that ?
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Thu Feb 20, 2014 2:57 am    Post subject: Re: what permissions for ssl Reply with quote

javeree wrote:
I could chmod 744 /etc/ssl, but that would mean anyone can then access /etc/ssl, including the keys within. At best I could limt it to a certain group of users (but in practice it would result in all 'standard' users).
No, it would not. Mode 744 would permit users to list the directory contents, but not to open the files within.
javeree wrote:
Since I have just followed a few recipes to create the keys, I have limited understanding of what each file is. I wanted to know what files I can leave world readable and which ones must be root only
Protect files which contain private keys. You may protect files which contain public keys, but that is not required.
javeree wrote:
I assume that it is sufficient to
chmod 700 /etc/ssl/private/* but don't know about the other files.
Generally, you do not need to grant execute permission to keys.
Back to top
View user's profile Send private message
javeree
Guru
Guru


Joined: 29 Jan 2006
Posts: 339

PostPosted: Thu Feb 20, 2014 9:49 am    Post subject: Reply with quote

@Hu

Thanks,
yes of course, 744 on a directory would not necessarily mean the user can read files within, but with the files within being 644, it would be possible. That was what I meant: If I set directory to 744, for which files do I need to switch off the world or group reading rights.

I've tried yesterday to understand better what is behind the recipe I found, and together with your comments, I did the following.

I suppose all files in /etc/ssl/private are (drumroll) ... private keys. So I allow access to root only 700 on the dir and 600 on the keys within.

I found out that the dovecot directory is created by the dovecot ebuild. So I just deleted that

I believe that the /etc/ssl/certs directory is meant to store trusted keys. So it is not necessary for the server side, but for the client side. It only contains keys that are public (my keys and public keys from others), so I should set dir and files to read only, as I don't want anyone to tell the system who to trust.

All pem files in /etc/ssl are public, so read-only is fine.
(I wonder if it is allowed to remove the -request files ?)

Finally the certindex* and openssl.cnf files. These also don't contain secrets, so read only is allowed.

I've updated the settings as above.
Back to top
View user's profile Send private message
Hu
Moderator
Moderator


Joined: 06 Mar 2007
Posts: 13490

PostPosted: Thu Feb 20, 2014 11:20 pm    Post subject: Reply with quote

javeree wrote:
yes of course, 744 on a directory would not necessarily mean the user can read files within, but with the files within being 644, it would be possible. That was what I meant: If I set directory to 744, for which files do I need to switch off the world or group reading rights.
You misunderstood my statement. If you set the directory to mode 744, then you do not need to protect any of the files because only the directory owner has search permission on the directory.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum