You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@trafficserver.apache.org by Reindl Harald <h....@thelounge.net> on 2014/01/31 13:52:50 UTC

permissions of cert-files

Hi

one small issue with ssl-certs:
they must be readable by the ats-user

httpd reads them at startup before downgrade uid/gid
the benefit is that they can have chmod 400 and owned by root
in case of a security relevant bug that may prevent leaks
_________________________

my personal issue is that we distribute the wildcard-cert to all
relevant machines in a own directory which chmod 400 and after
the cert expires and is re-newed the admin server can distribute it

for now i need to make a ats-readable copy because a hard-link
would have the same permissions on both and in case of fire up
the distribute script they are reset

Re: permissions of cert-files

Posted by Reindl Harald <h....@thelounge.net>.


Am 31.01.2014 17:36, schrieb James Peach:
> On Jan 31, 2014, at 8:32 AM, Reindl Harald <h....@thelounge.net> wrote:
> 
>> Am 31.01.2014 17:24, schrieb James Peach:
>>> On Jan 31, 2014, at 4:52 AM, Reindl Harald <h....@thelounge.net> wrote:
>>>
>>>> one small issue with ssl-certs:
>>>> they must be readable by the ats-user
>>>>
>>>> httpd reads them at startup before downgrade uid/gid
>>>> the benefit is that they can have chmod 400 and owned by root
>>>> in case of a security relevant bug that may prevent leaks
>>>
>>> https://issues.apache.org/jira/browse/TS-2353
>>> https://issues.apache.org/jira/browse/TS-612
>>>
>>> Ron Barber has been working on this for 4.2 and I expect that we will land these changes soon. In the longer terms I'd like to support the Linux kernel key management API, which I believe will give you better options for controlling access to keys. 
>>
>> have i said often enough "thank you" for such a responsible upstream project like ATS?
> 
> Full marks to the Yahoo engineers, who have been driving the SSL improvements in 4.2. SSL support was formerly somewhat neglected so it's very timely and appreciated work :)

so special thanks to the Yahoo engineers, nice to see that they still work on ATS
which is not self-evident in case of make a software open source and place it
under the hood of ASF

Re: permissions of cert-files

Posted by James Peach <jp...@apache.org>.

On Jan 31, 2014, at 8:32 AM, Reindl Harald <h....@thelounge.net> wrote:

> 
> 
> Am 31.01.2014 17:24, schrieb James Peach:
>> On Jan 31, 2014, at 4:52 AM, Reindl Harald <h....@thelounge.net> wrote:
>> 
>>> one small issue with ssl-certs:
>>> they must be readable by the ats-user
>>> 
>>> httpd reads them at startup before downgrade uid/gid
>>> the benefit is that they can have chmod 400 and owned by root
>>> in case of a security relevant bug that may prevent leaks
>> 
>> https://issues.apache.org/jira/browse/TS-2353
>> https://issues.apache.org/jira/browse/TS-612
>> 
>> Ron Barber has been working on this for 4.2 and I expect that we will land these changes soon. In the longer terms I'd like to support the Linux kernel key management API, which I believe will give you better options for controlling access to keys. 
> 
> have i said often enough "thank you" for such a responsible upstream project like ATS?

Full marks to the Yahoo engineers, who have been driving the SSL improvements in 4.2. SSL support was formerly somewhat neglected so it's very timely and appreciated work :)

J

Re: permissions of cert-files

Posted by Reindl Harald <h....@thelounge.net>.


Am 31.01.2014 17:24, schrieb James Peach:
> On Jan 31, 2014, at 4:52 AM, Reindl Harald <h....@thelounge.net> wrote:
> 
>> one small issue with ssl-certs:
>> they must be readable by the ats-user
>>
>> httpd reads them at startup before downgrade uid/gid
>> the benefit is that they can have chmod 400 and owned by root
>> in case of a security relevant bug that may prevent leaks
> 
> https://issues.apache.org/jira/browse/TS-2353
> https://issues.apache.org/jira/browse/TS-612
> 
> Ron Barber has been working on this for 4.2 and I expect that we will land these changes soon. In the longer terms I'd like to support the Linux kernel key management API, which I believe will give you better options for controlling access to keys. 

have i said often enough "thank you" for such a responsible upstream project like ATS?

Re: permissions of cert-files

Posted by James Peach <jp...@apache.org>.

On Jan 31, 2014, at 4:52 AM, Reindl Harald <h....@thelounge.net> wrote:

> Hi
> 
> one small issue with ssl-certs:
> they must be readable by the ats-user
> 
> httpd reads them at startup before downgrade uid/gid
> the benefit is that they can have chmod 400 and owned by root
> in case of a security relevant bug that may prevent leaks

https://issues.apache.org/jira/browse/TS-2353
https://issues.apache.org/jira/browse/TS-612

Ron Barber has been working on this for 4.2 and I expect that we will land these changes soon. In the longer terms I'd like to support the Linux kernel key management API, which I believe will give you better options for controlling access to keys. 

> _________________________
> 
> my personal issue is that we distribute the wildcard-cert to all
> relevant machines in a own directory which chmod 400 and after
> the cert expires and is re-newed the admin server can distribute it
> 
> for now i need to make a ats-readable copy because a hard-link
> would have the same permissions on both and in case of fire up
> the distribute script they are reset
> 
>

Re: permissions of cert-files

Posted by Jan-Frode Myklebust <ja...@tanso.net>.

On Fri, Jan 31, 2014 at 01:52:50PM +0100, Reindl Harald wrote:
> 
> my personal issue is that we distribute the wildcard-cert to all
> relevant machines in a own directory which chmod 400 and after
> the cert expires and is re-newed the admin server can distribute it

We do the same.. but for files that ATS needs to access, we make them
owned by root:ats, mode 440. I very much agree they should be opened by
root on startup instead.

  -jf