TLS certificate permission checks

Julien ÉLIE julien at trigofacile.com
Fri Oct 28 08:44:55 UTC 2016 

Hi Russ,

> In another group I read, someone was setting up a TLS certificate for 
> use
> with nnrpd using Let's Encrypt, and they ran into a ton of trouble 
> because
> of the very tight permission checks in nnrpd before it's willing to use
> the certificate.  (The root problem was that the key was rejected 
> because
> it was owned by a different group than news, even though it otherwise 
> had
> the correct permissions.)
> 
> I think we may be a bit too aggressive about this.  We're trying to
> protect people against mistakes that could leak the key to other users 
> on
> the same host, but it's increasingly uncommon for a news server to run 
> on
> the same box as untrusted people, so I'm not sure how much this 
> matters.
> And it causes some friction when people are setting up automatic
> certificate renewal.
> 
> What would folks think about replacing the current checks in 
> nnrpd/tls.c
> with just:
> 
>     !S_ISREG(buf.st_mode) || (buf.st_mode & 0007) != 0
> 
> which just makes sure that it's a regular file and not world-readable?

Shouldn't we also check that the key is readable?

I think it was the point of the initial commit in 2002:
   https://inn.eyrie.org/trac/changeset/6037/trunk/nnrpd/tls.c
where the check was:

    !S_ISREG(buf.st_mode) || (buf.st_mode & 0077) != 0 || buf.st_uid != 
getuid()


Otherwise, maybe the error appearing in the logs is not clear enough,
if it does not say that there is a read access issue.



I agree that the new checks in 2011 were probably too restrictive
for the use case you mention in your mail:
   https://inn.eyrie.org/trac/changeset/9219/trunk/nnrpd/tls.c

    /* Check that the key file is a real file, not readable by
     * everyone.  If the mode is 440 or 640, make sure the group owner
     * is the news group (to prevent the failure case of having 
news:users
     * as the owner and group. */

      !S_ISREG(buf.st_mode) || (buf.st_mode & 0137) != 0
        || ((buf.st_mode & 0040) != 0 && buf.st_gid != getegid())

-- 
Julien

More information about the inn-workers mailing list