/etc/ssl/private has far too permissive permissions by default

Task Info (Flyspray)
Opened By	Patrick Goetz (pgoetz)
Task ID	43059
Type	Bug Report
Project	Arch Linux
Category	Security
Version	None
OS	All
Opened	2014-12-09 22:01:17 UTC
Status	Assigned
Assignee	Pierre Schmitz (Pierre)
Assignee	Felix Yan (felixonmars)

Details

Package: openssl 1.0.1.j-1

Description: The permissions on /etc/ssl/private are far too permissive by default:

# cd /etc/ssl
# ls -l private
drwxr-xr-x 2 root root 4096 Sep  9 05:34 private

This allows anyone with a login to get into the private key folder. If someone messes up the permissions on a key file, the key becomes publicly accessible.

Suggestion: the debian configuration for this is pretty good. First, create an ssl-cert group:

# grep ssl-cert /etc/group
ssl-cert:x:113:postfix,cyrus

Then set the permissions on /etc/ssl/private accordingly:

# cd /etc/ssl
# ls -ld private
drwx--x--- 2 root ssl-cert 4096 Sep  9 05:34 private

As illustrated above, services which need access to the private key store can then be added to the ssl-cert group. Of course the keys will also need to be owned by ssl-cert and group readable.

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information

Admin message

/etc/ssl/private has far too permissive permissions by default

Details