Commit 980485c4 authored by Till Brehm's avatar Till Brehm

Fixed: FS#3696 - Interface SSL keys should be owned by root

- Improved postfix SSL configuration to protect against poodle attack.
parent 29e299fe
......@@ -1058,6 +1058,13 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
// and must be fixed as this will allow the apache user to read the ispconfig files.
......
......@@ -962,6 +962,8 @@ class installer extends installer_base
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
// and must be fixed as this will allow the apache user to read the ispconfig files.
......
......@@ -1131,6 +1131,13 @@ class installer_dist extends installer_base {
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
}
if(is_dir($install_dir.'/interface/invoices')) {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
// and must be fixed as this will allow the apache user to read the ispconfig files.
......
......@@ -1716,6 +1716,8 @@ class installer_base {
exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
rename($ssl_key_file, $ssl_key_file.'.secure');
rename($ssl_key_file.'.insecure', $ssl_key_file);
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
}
......@@ -1994,6 +1996,8 @@ class installer_base {
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
}
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
// and must be fixed as this will allow the apache user to read the ispconfig files.
......
......@@ -32,4 +32,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
owner_request_special = no
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
\ No newline at end of file
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
\ No newline at end of file
......@@ -29,4 +29,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
\ No newline at end of file
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
\ No newline at end of file
......@@ -29,4 +29,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
\ No newline at end of file
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
\ No newline at end of file
......@@ -31,4 +31,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
body_checks = regexp:{config_dir}/body_checks
inet_interfaces = all
smtp_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
\ No newline at end of file
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
smtpd_tls_protocols = !SSLv2,!SSLv3
smtp_tls_protocols = !SSLv2,!SSLv3
\ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment