Bug 141479 - Creates certificates + keys at an insecure/bad place
Creates certificates + keys at an insecure/bad place
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: cyrus-imapd (Show other bugs)
3
All Linux
medium Severity low
: ---
: ---
Assigned To: John Dennis
Brian Brock
impact=low,public=20041201
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-12-01 09:53 EST by Enrico Scholz
Modified: 2007-11-30 17:10 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-04-18 18:49:49 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Enrico Scholz 2004-12-01 09:53:00 EST
Description of problem:

The %post scriptlet creates the SSL certificate at /usr/share/ssl. This
causes problems because:

* the /usr filesystem (inclusive /usr/share/ssl) can be shared between
  several hosts; when there are multiple imap-servers, every one would
  use the same certificate. This will not work because CN must match
  the DNS name.

  This causes problems also, when /usr is mounted read-only. Then the
  %post-scriptlet will fail because the certificate can not be created.


* the sharing happens in >90% of all cases over an unencrypted
  network-filesystem (NFS). So, an attacker could easily get the
  SSL key.

A better place for the certificates would be somewhere under /etc.


Version-Release number of selected component (if applicable):

cyrus-imapd-2.2.10-1.fc3
Comment 1 John Dennis 2004-12-01 14:49:34 EST
The choice of /usr/share/ssl is dictated by the openssl package which
puts its certificates in %{_datadir}/ssl, a standard location that is
in compliance with FHS, or at least that was the thinking, but I think
its easily open to interpretation and you present viable and
reasonable arguments to move it elsewhere. I could be persuaded that
/var/lib/ssl/certs, /usr/local/ssl/certs, or /etc/ssl/certs all would
represent locations consistent with FHS and would remedy the issues
you raised.

However, the configuration of the cyrus rpm is meant to be consistent
with all other ssl usage in the distribution, that is the advantage of
using a distribution from a single vendor. Also our cyrus rpm is
derived almost verbatim from Simon Matter's rpm which is somewhat of a
standard, and the certs location is consistent with his rpm as well.
Although you present good arguments I'm not inclinded to change the
location in cyrus unless Red Hat decides to move /usr/share/ssl/certs
for everything in the system. Such a move may make sense and I've
cc'ed the owner of the openssl rpm (Nalin) on this bugzilla to allow
him to comment. At the moment I tend to view this as an openssl issue
and not a cyrus-imapd issue (because of system consistency).

You do have the ability to move the certificate location via the
imap.conf file for your installation.
Comment 2 Simon Matter 2004-12-17 11:31:36 EST
I agree, all my rpms use %{_datadir}/ssl which is the defacto standard
on RedHat/Fedora distributions.
Comment 3 Enrico Scholz 2004-12-17 11:45:41 EST
Really? A counter-example is httpd which places certs + keys into
/etc/httpd/ssl.*.

I know only one other package which uses /usr/share/ssl for its keys:
openldap-servers. The scriptlet there looks very similar to this of
cyrus-imapd so I think one package copied the error of the other one.


/usr/share/ssl can be used for CA certificates (ca-bundle) which
will not conflict across machines. But it is not appropriately for
host-specific and secret configuration files.
Comment 4 Enrico Scholz 2005-02-28 19:39:53 EST
Because there was no rational behind this WONTFIX, I guess this
happened accidentally. Therefore, I am reverting to the previous state...
Comment 5 John Dennis 2005-03-01 10:18:30 EST
I thought the rational was spelled out in comments #1 and #2
Comment 6 Enrico Scholz 2005-03-01 11:42:04 EST
But comment #3 shows that the assumptions in these comments are wrong. 
Comment 7 John Dennis 2005-04-18 18:49:49 EDT
fixed in fedora extras
Comment 8 John Dennis 2005-04-21 16:17:45 EDT
We finally reached a consensus on a common directory to hold certs (/etc/pki).
cyrus-imapd in extras was modified to place its pem file in the subdirectory
/etc/pki/cyrus-imapd. We will eventually over time migrate other packages to use
/etc/pki as well.

Note You need to log in before you can comment on or make changes to this bug.