Bug 141479
| Summary: | Creates certificates + keys at an insecure/bad place | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Enrico Scholz <rh-bugzilla> |
| Component: | cyrus-imapd | Assignee: | John Dennis <jdennis> |
| Status: | CLOSED RAWHIDE | QA Contact: | Brian Brock <bbrock> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3 | CC: | bressers, nalin |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | impact=low,public=20041201 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-04-18 22:49:49 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Enrico Scholz
2004-12-01 14:53:00 UTC
The choice of /usr/share/ssl is dictated by the openssl package which
puts its certificates in %{_datadir}/ssl, a standard location that is
in compliance with FHS, or at least that was the thinking, but I think
its easily open to interpretation and you present viable and
reasonable arguments to move it elsewhere. I could be persuaded that
/var/lib/ssl/certs, /usr/local/ssl/certs, or /etc/ssl/certs all would
represent locations consistent with FHS and would remedy the issues
you raised.
However, the configuration of the cyrus rpm is meant to be consistent
with all other ssl usage in the distribution, that is the advantage of
using a distribution from a single vendor. Also our cyrus rpm is
derived almost verbatim from Simon Matter's rpm which is somewhat of a
standard, and the certs location is consistent with his rpm as well.
Although you present good arguments I'm not inclinded to change the
location in cyrus unless Red Hat decides to move /usr/share/ssl/certs
for everything in the system. Such a move may make sense and I've
cc'ed the owner of the openssl rpm (Nalin) on this bugzilla to allow
him to comment. At the moment I tend to view this as an openssl issue
and not a cyrus-imapd issue (because of system consistency).
You do have the ability to move the certificate location via the
imap.conf file for your installation.
I agree, all my rpms use %{_datadir}/ssl which is the defacto standard
on RedHat/Fedora distributions.
Really? A counter-example is httpd which places certs + keys into /etc/httpd/ssl.*. I know only one other package which uses /usr/share/ssl for its keys: openldap-servers. The scriptlet there looks very similar to this of cyrus-imapd so I think one package copied the error of the other one. /usr/share/ssl can be used for CA certificates (ca-bundle) which will not conflict across machines. But it is not appropriately for host-specific and secret configuration files. Because there was no rational behind this WONTFIX, I guess this happened accidentally. Therefore, I am reverting to the previous state... I thought the rational was spelled out in comments #1 and #2 But comment #3 shows that the assumptions in these comments are wrong. fixed in fedora extras We finally reached a consensus on a common directory to hold certs (/etc/pki). cyrus-imapd in extras was modified to place its pem file in the subdirectory /etc/pki/cyrus-imapd. We will eventually over time migrate other packages to use /etc/pki as well. |