Subject: misc/18258: etc/openssl/private should be private by default
To: None <gnats-bugs@gnats.netbsd.org>
From: Julio Merino <jmmv@hispabsd.org>
List: netbsd-bugs
Date: 09/10/2002 20:35:37
>Number: 18258
>Category: misc
>Synopsis: etc/openssl/private should be private by default
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: misc-bug-people
>State: open
>Class: change-request
>Submitter-Id: net
>Arrival-Date: Tue Sep 10 11:35:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Julio Merino
>Release: NetBSD 1.6H
>Organization:
HispaBSD
>Environment:
System: NetBSD darkstar.local 1.6H NetBSD 1.6H (DARKSTAR) #12: Sun Sep 8 10:57:26 CEST 2002 jmmv@darkstar.local:/var/build/kernel/DARKSTAR i386
Architecture: i386
Machine: i386
>Description:
Currently, /etc/openssl contains three directories in the default
installation: certs, misc and private. These directories come
configured (again, by default) with 755 permissions. This is OK
for certs and misc, but not for private.
private contains sensible information (i.e., private keys) so it
must remain non-readable for all others except root. I mean, it
should be set to a 0700 mode in the default installation.
>How-To-Repeat:
>Fix:
Consider using this patch:
Index: NetBSD.dist
===================================================================
RCS file: /cvsroot/basesrc/etc/mtree/NetBSD.dist,v
retrieving revision 1.202
diff -u -u -r1.202 NetBSD.dist
--- NetBSD.dist 2002/08/28 09:57:11 1.202
+++ NetBSD.dist 2002/09/10 18:22:16
@@ -19,7 +19,7 @@
./etc/openssl
./etc/openssl/certs
./etc/openssl/misc
-./etc/openssl/private
+./etc/openssl/private mode=0700
./etc/postfix
./etc/racoon
./etc/rc.conf.d
>Release-Note:
>Audit-Trail:
>Unformatted: