From 980485c46c2d0fab48410dc5aedb1a2fafa40a34 Mon Sep 17 00:00:00 2001 From: Till Brehm <tbrehm@ispconfig.org> Date: Fri, 17 Oct 2014 06:04:41 -0400 Subject: [PATCH] Fixed: FS#3696 - Interface SSL keys should be owned by root - Improved postfix SSL configuration to protect against poodle attack. --- install/tpl/debian_postfix.conf.master | 4 +++- install/lib/installer_base.lib.php | 4 ++++ install/dist/lib/fedora.lib.php | 7 +++++++ install/dist/lib/gentoo.lib.php | 2 ++ install/dist/lib/opensuse.lib.php | 7 +++++++ install/tpl/fedora_postfix.conf.master | 4 +++- install/tpl/opensuse_postfix.conf.master | 4 +++- install/tpl/gentoo_postfix.conf.master | 4 +++- 8 files changed, 32 insertions(+), 4 deletions(-) diff --git a/install/dist/lib/fedora.lib.php b/install/dist/lib/fedora.lib.php index e5eefa3..2c312cb 100644 --- a/install/dist/lib/fedora.lib.php +++ b/install/dist/lib/fedora.lib.php @@ -1058,6 +1058,13 @@ exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf"); exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf"); } + + if(is_dir($install_dir.'/interface/invoices')) { + exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices')); + exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices')); + } + + exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing // and must be fixed as this will allow the apache user to read the ispconfig files. diff --git a/install/dist/lib/gentoo.lib.php b/install/dist/lib/gentoo.lib.php index 005a2fc..3eebf91 100644 --- a/install/dist/lib/gentoo.lib.php +++ b/install/dist/lib/gentoo.lib.php @@ -962,6 +962,8 @@ exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices')); exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices')); } + + exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing // and must be fixed as this will allow the apache user to read the ispconfig files. diff --git a/install/dist/lib/opensuse.lib.php b/install/dist/lib/opensuse.lib.php index cd47d05..6f08073 100644 --- a/install/dist/lib/opensuse.lib.php +++ b/install/dist/lib/opensuse.lib.php @@ -1131,6 +1131,13 @@ exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf"); exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf"); } + + if(is_dir($install_dir.'/interface/invoices')) { + exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices')); + exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices')); + } + + exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing // and must be fixed as this will allow the apache user to read the ispconfig files. diff --git a/install/lib/installer_base.lib.php b/install/lib/installer_base.lib.php index 5958d9d..86429a9 100644 --- a/install/lib/installer_base.lib.php +++ b/install/lib/installer_base.lib.php @@ -1716,6 +1716,8 @@ exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure"); rename($ssl_key_file, $ssl_key_file.'.secure'); rename($ssl_key_file.'.insecure', $ssl_key_file); + + exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); } @@ -1994,6 +1996,8 @@ exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices')); exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices')); } + + exec('chown -R root:root /usr/local/ispconfig/interface/ssl'); // TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing // and must be fixed as this will allow the apache user to read the ispconfig files. diff --git a/install/tpl/debian_postfix.conf.master b/install/tpl/debian_postfix.conf.master index ff5052e..b322ca7 100644 --- a/install/tpl/debian_postfix.conf.master +++ b/install/tpl/debian_postfix.conf.master @@ -32,4 +32,6 @@ body_checks = regexp:{config_dir}/body_checks owner_request_special = no smtp_tls_security_level = may -smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3 \ No newline at end of file +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2,!SSLv3 +smtp_tls_protocols = !SSLv2,!SSLv3 \ No newline at end of file diff --git a/install/tpl/fedora_postfix.conf.master b/install/tpl/fedora_postfix.conf.master index 88c8d59..8545002 100644 --- a/install/tpl/fedora_postfix.conf.master +++ b/install/tpl/fedora_postfix.conf.master @@ -29,4 +29,6 @@ body_checks = regexp:{config_dir}/body_checks inet_interfaces = all smtp_tls_security_level = may -smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3 \ No newline at end of file +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2,!SSLv3 +smtp_tls_protocols = !SSLv2,!SSLv3 \ No newline at end of file diff --git a/install/tpl/gentoo_postfix.conf.master b/install/tpl/gentoo_postfix.conf.master index 1ddfd40..ca21de5 100644 --- a/install/tpl/gentoo_postfix.conf.master +++ b/install/tpl/gentoo_postfix.conf.master @@ -29,4 +29,6 @@ body_checks = regexp:{config_dir}/body_checks inet_interfaces = all smtp_tls_security_level = may -smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3 \ No newline at end of file +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2,!SSLv3 +smtp_tls_protocols = !SSLv2,!SSLv3 \ No newline at end of file diff --git a/install/tpl/opensuse_postfix.conf.master b/install/tpl/opensuse_postfix.conf.master index 80d1fd1..a94235a 100644 --- a/install/tpl/opensuse_postfix.conf.master +++ b/install/tpl/opensuse_postfix.conf.master @@ -31,4 +31,6 @@ body_checks = regexp:{config_dir}/body_checks inet_interfaces = all smtp_tls_security_level = may -smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3 \ No newline at end of file +smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3 +smtpd_tls_protocols = !SSLv2,!SSLv3 +smtp_tls_protocols = !SSLv2,!SSLv3 \ No newline at end of file -- Gitblit v1.9.1