Am 12.04.2012 20:26, schrieb Adam Tauno Williams:
$> chmod 444 /etc/postfix/certs/mailkey.pem $> ll /etc/postfix/certs/mailkey.pem -r--r--r-- 1 root root 916 12. Apr 13:49 mailkey.pem Does any one know, whether the changed user rights are a potential secuirty concern?
Yes, huge. There is never ever any reason a *key* file should be world readable.
If you have /etc/ssl/some.key that needs to be readable by user cyrus and user mail then -
chmod 000 /etc/ssl/some.key setfacl -m u:mail:r /etc/ssl/some.key setfacl -m u:cyrus:r /etc/ssl/some.key
Thank's Adam Tauno Williams, I was a bit suspicious too, but hadn't thought of providing separate read/right access for special users. I hadn't mounted the fs having setfacl support, so I opted to add a separate group: groupadd ssl usermod -A mail,ssl postfix usermod -A postfix,ssl cyrus chown postfix:ssl mailkey.pem chmod 440 mailkey.pem -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org