apache: Ensure that not everyone can read the keys

This would become a security risk if anyone gets shell access as any user to copy out the HTTPS keys. Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
2026-04-10 02:55:55 +02:00 · 2017-11-07 20:30:52 +00:00
parent b5aca95b94
commit d409286074
3 changed files with 8 additions and 0 deletions
--- a/config/rootfiles/core/117/filelists/files
+++ b/config/rootfiles/core/117/filelists/files
@@ -1,6 +1,7 @@
 etc/system-release
 etc/issue
 etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
 etc/ssl/certs/ca-bundle.crt
 etc/ssl/certs/ca-bundle.trust.crt
 opt/pakfire/lib/functions.pl
--- a/config/rootfiles/core/117/update.sh
+++ b/config/rootfiles/core/117/update.sh
@@ -39,6 +39,11 @@ extract_files
 # update linker config
 ldconfig

+# Make apache keys not readable for everyone
+chmod 600 \
+	/etc/httpd/server.key \
+	/etc/httpd/server-ecdsa.key
+
 # Update Language cache
 #/usr/local/bin/update-lang-cache

--- a/src/initscripts/system/apache
+++ b/src/initscripts/system/apache
@@ -11,6 +11,7 @@ generate_certificates() {
 	if [ ! -f "/etc/httpd/server.key" ]; then
 		boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
 		openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+		chmod 600 /etc/httpd/server.key
 		evaluate_retval
 	fi

@@ -18,6 +19,7 @@ generate_certificates() {
 		boot_mesg "Generating HTTPS ECDSA server key..."
 		openssl ecparam -genkey -name secp384r1 -noout \
 			-out /etc/httpd/server-ecdsa.key &>/dev/null
+		chmod 600 /etc/httpd/server-ecdsa.key
 		evaluate_retval
 	fi