Bug 955380 - Default permissions of generated SSL certificate/key do not make sense
Summary: Default permissions of generated SSL certificate/key do not make sense
Status: CLOSED ERRATA
Alias: None
Product: Fedora EPEL
Classification: Fedora
Component: prosody
Version: el6
Hardware: All
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Johan Cwiklinski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks: 955780
TreeView+ depends on / blocked
 
Reported: 2013-04-22 23:23 UTC by Robert Scheck
Modified: 2013-05-30 03:07 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-05-15 19:43:47 UTC

Attachments (Terms of Use)
Patch suggestion for prosody.spec to solve SSL cert/key issue (1.13 KB, patch)
2013-04-22 23:25 UTC, Robert Scheck 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Description Robert Scheck 2013-04-22 23:23:51 UTC 
Description of problem:
The default permissions of generated SSL certificate/key do not make sense,
because prosody drops root privilege very soon (if it's running under these
permissions at all). Thus the SSL certificate/key can not be read by default.
Default permission is root:root and 700 for both SSL certificate and key.

Version-Release number of selected component (if applicable):
prosody-0.8.2-5.el6.x86_64

How reproducible:
Everytime, just set up a plain prosody and have a look for SSL/TLS issues.
  
Actual results:
Default permissions of generated SSL certificate/key do not make sense

Expected results:
More wise file permissions for generated SSL certificate/key in the future.

Additional info:
This issue affects all Fedora and EPEL branches! Please apply the attached
patch or better.
Comment 1 Robert Scheck 2013-04-22 23:25:03 UTC 
Created attachment 738715 [details]
Patch suggestion for prosody.spec to solve SSL cert/key issue
Comment 2 Johan Cwiklinski 2013-04-27 21:01:42 UTC 
Thanks for your report and your patch :)

Just a note about the modified openssl command, this was discussed during package review, and decision has been make to let openssl defaults do their job (see https://bugzilla.redhat.com/show_bug.cgi?id=551765#c28 and others); so I'll not change that one.
Comment 3 Robert Scheck 2013-04-27 21:03:16 UTC 
Ah! Good to know. Then skip that part.
Comment 4 Fedora Update System 2013-04-27 22:44:56 UTC 
prosody-0.8.2-8.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/prosody-0.8.2-8.fc18
Comment 5 Fedora Update System 2013-04-27 22:45:20 UTC 
prosody-0.8.2-6.el6 has been submitted as an update for Fedora EPEL 6.
https://admin.fedoraproject.org/updates/prosody-0.8.2-6.el6
Comment 6 Fedora Update System 2013-04-27 22:45:45 UTC 
prosody-0.8.2-6.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/prosody-0.8.2-6.fc17
Comment 7 Fedora Update System 2013-04-27 22:56:14 UTC 
prosody-0.8.2-9.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/prosody-0.8.2-9.el5
Comment 8 Fedora Update System 2013-04-28 18:31:29 UTC 
prosody-0.8.2-9.el5 has been pushed to the Fedora EPEL 5 testing repository.
Comment 9 Fedora Update System 2013-05-15 19:43:47 UTC 
prosody-0.8.2-9.el5 has been pushed to the Fedora EPEL 5 stable repository.
Comment 10 Fedora Update System 2013-05-29 17:33:38 UTC 
prosody-0.8.2-6.el6 has been pushed to the Fedora EPEL 6 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2013-05-30 03:02:20 UTC 
prosody-0.8.2-8.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2013-05-30 03:07:46 UTC 
prosody-0.8.2-6.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.