Am 06.02.2014 09:29, schrieb Phil:
On 6/02/2014 6:23 PM, Steffen Kaiser wrote:
You show us the symbolic link, which has all Unix permissions usually. The interessting file is the final target, e.g. /etc/ssl/private/ssl-cert-snakeoil.key if that is no symlink as well, and the permissions of all directories to it.
For instance, Debian uses the perms for the private dir:
drwx--x--- 2 root ssl-cert 4096 Jul 4 2012 /etc/ssl/private/
I think it looks the same on your Ubuntu machine. So add the Dovecot user to group ssl-cert to let it enter the directory at all. The Snakeoil key is usually group-readable for ssl-cert, too. So no change of permissions necessary there as well.
I did this and my perms look like thus now:
total 8 -rw------- 1 root dovecot 887 2013-11-25 11:33 dovecot.pem -rw-r----- 1 dovecot ssl-cert 887 2013-11-17 12:27 ssl-cert-snakeoil.key lrwxrwxrwx 1 root root 38 2013-11-27 08:35 ssl-mail.key -> /etc/ssl/priv ate/ssl-cert-snakeoil.key
for the sake of correctness:
- the server process owning config files is generally bad
- ssl-certs are opened with root permissions at startup
- that is why chmod 0400 and owner/group root are the recommended perms for certificates
- the same for Apache httpd and Postfix
- only Apache Trafficserver opens certs as ats-user (fow now)
the only thing where permissions could be relevant at all in context of ssl-certificates is if someone removes the execture permissions from one of the parents folders