Yedidyah Bar David has posted comments on this change. Change subject: packaging: pki: ca private key perms ......................................................................
Patch Set 1: (1 comment) http://gerrit.ovirt.org/#/c/25084/1/packaging/bin/pki-create-ca.sh File packaging/bin/pki-create-ca.sh: Line 51: Line 52: touch "${PKIDIR}/database.txt" "${PKIDIR}/.rnd" || die "Cannot write to database.txt" Line 53: Line 54: touch "${PKIDIR}/private/ca.pem" Line 55: chmod go-rwx "${PKIDIR}/private/ca.pem" || die "Cannot set CA permissions" I now checked that this isn't a security issue because private/ is 750. I thought that to read a file you do not need permissions (neither r nor x) on its parent directory but now checked and I was wrong. I could not find documentation for this anywhere, though. Every place I checked says what I already know - you need 'r' on a directory to read it (ls), 'x' to cd to it, 'w' to add or delete files in it. No-one says what you need to read files in it. Still better to do go-rwx . Not sure how I did not notice this so far... Line 56: openssl genrsa \ Line 57: -out "${PKIDIR}/private/ca.pem" \ Line 58: 2048 \ Line 59: || die "Cannot generate CA key" -- To view, visit http://gerrit.ovirt.org/25084 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I66451545cf7875d4671924ffdf4e578035357d92 Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Yedidyah Bar David <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Yedidyah Bar David <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
