>Number:         18258
>Category:       misc
>Synopsis:       etc/openssl/private should be private by default
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    misc-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Tue Sep 10 11:35:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Julio Merino
>Release:        NetBSD 1.6H
>Organization:
HispaBSD
>Environment:
	
	
System: NetBSD darkstar.local 1.6H NetBSD 1.6H (DARKSTAR) #12: Sun Sep 8 10:57:26 CEST 2002 jmmv@darkstar.local:/var/build/kernel/DARKSTAR i386
Architecture: i386
Machine: i386
>Description:
	Currently, /etc/openssl contains three directories in the default
	installation: certs, misc and private. These directories come
	configured (again, by default) with 755 permissions. This is OK
	for certs and misc, but not for private.

	private contains sensible information (i.e., private keys) so it
	must remain non-readable for all others except root. I mean, it
	should be set to a 0700 mode in the default installation.
>How-To-Repeat:
	
>Fix:
	Consider using this patch:

Index: NetBSD.dist
===================================================================
RCS file: /cvsroot/basesrc/etc/mtree/NetBSD.dist,v
retrieving revision 1.202
diff -u -u -r1.202 NetBSD.dist
--- NetBSD.dist	2002/08/28 09:57:11	1.202
+++ NetBSD.dist	2002/09/10 18:22:16
@@ -19,7 +19,7 @@
 ./etc/openssl
 ./etc/openssl/certs
 ./etc/openssl/misc
-./etc/openssl/private
+./etc/openssl/private		mode=0700
 ./etc/postfix
 ./etc/racoon
 ./etc/rc.conf.d


>Release-Note:
>Audit-Trail:
>Unformatted: