ISPConfig3 devel
parent: 29e299fe | patch | commit | ignore whitespace
Till Brehm
2014-10-17 980485c46c2d0fab48410dc5aedb1a2fafa40a34 
Fixed: FS#3696 - Interface SSL keys should be owned by root
- Improved postfix SSL configuration to protect against poodle attack.
8 files modified
36 ■■■■ changed files
install/dist/lib/fedora.lib.php 7 ●●●●● patch | view | raw | blame | history
install/dist/lib/gentoo.lib.php 2 ●●●●● patch | view | raw | blame | history
install/dist/lib/opensuse.lib.php 7 ●●●●● patch | view | raw | blame | history
install/lib/installer_base.lib.php 4 ●●●● patch | view | raw | blame | history
install/tpl/debian_postfix.conf.master 4 ●●● patch | view | raw | blame | history
install/tpl/fedora_postfix.conf.master 4 ●●● patch | view | raw | blame | history
install/tpl/gentoo_postfix.conf.master 4 ●●● patch | view | raw | blame | history
install/tpl/opensuse_postfix.conf.master 4 ●●● patch | view | raw | blame | history 
 install/dist/lib/fedora.lib.php


@@ -1058,6 +1058,13 @@


            exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");


            exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");


        }


		


        if(is_dir($install_dir.'/interface/invoices')) {


            exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));


            exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));


        }


		


        exec('chown -R root:root /usr/local/ispconfig/interface/ssl');




        // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing


        // and must be fixed as this will allow the apache user to read the ispconfig files.




 install/dist/lib/gentoo.lib.php


@@ -962,6 +962,8 @@


            exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));


            exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));


        }


		


        exec('chown -R root:root /usr/local/ispconfig/interface/ssl');




        // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing


        // and must be fixed as this will allow the apache user to read the ispconfig files.




 install/dist/lib/opensuse.lib.php


@@ -1131,6 +1131,13 @@


            exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");


            exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");


        }


		


        if(is_dir($install_dir.'/interface/invoices')) {


            exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));


            exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));


        }


		


        exec('chown -R root:root /usr/local/ispconfig/interface/ssl');




        // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing


        // and must be fixed as this will allow the apache user to read the ispconfig files.




 install/lib/installer_base.lib.php


@@ -1716,6 +1716,8 @@


        exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");


        rename($ssl_key_file, $ssl_key_file.'.secure');


        rename($ssl_key_file.'.insecure', $ssl_key_file);


		


        exec('chown -R root:root /usr/local/ispconfig/interface/ssl');




    }




@@ -1994,6 +1996,8 @@


            exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));


            exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));


        }


		


        exec('chown -R root:root /usr/local/ispconfig/interface/ssl');




        // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing


        // and must be fixed as this will allow the apache user to read the ispconfig files.




 install/tpl/debian_postfix.conf.master


@@ -32,4 +32,6 @@


body_checks = regexp:{config_dir}/body_checks


owner_request_special = no


smtp_tls_security_level = may


smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3


smtpd_tls_protocols = !SSLv2,!SSLv3


smtp_tls_protocols = !SSLv2,!SSLv3




 install/tpl/fedora_postfix.conf.master


@@ -29,4 +29,6 @@


body_checks = regexp:{config_dir}/body_checks


inet_interfaces = all


smtp_tls_security_level = may


smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3


smtpd_tls_protocols = !SSLv2,!SSLv3


smtp_tls_protocols = !SSLv2,!SSLv3




 install/tpl/gentoo_postfix.conf.master


@@ -29,4 +29,6 @@


body_checks = regexp:{config_dir}/body_checks


inet_interfaces = all


smtp_tls_security_level = may


smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3


smtpd_tls_protocols = !SSLv2,!SSLv3


smtp_tls_protocols = !SSLv2,!SSLv3




 install/tpl/opensuse_postfix.conf.master


@@ -31,4 +31,6 @@


body_checks = regexp:{config_dir}/body_checks


inet_interfaces = all


smtp_tls_security_level = may


smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3


smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3


smtpd_tls_protocols = !SSLv2,!SSLv3


smtp_tls_protocols = !SSLv2,!SSLv3