Skip to content

Commit 980485c

Browse files
author
Till Brehm
committed
Fixed: FS#3696 - Interface SSL keys should be owned by root
- Improved postfix SSL configuration to protect against poodle attack.
1 parent 29e299f commit 980485c

File tree

8 files changed

+32
-4
lines changed

8 files changed

+32
-4
lines changed

install/dist/lib/fedora.lib.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1058,6 +1058,13 @@ public function install_ispconfig()
10581058
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
10591059
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
10601060
}
1061+
1062+
if(is_dir($install_dir.'/interface/invoices')) {
1063+
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
1064+
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
1065+
}
1066+
1067+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
10611068

10621069
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
10631070
// and must be fixed as this will allow the apache user to read the ispconfig files.

install/dist/lib/gentoo.lib.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -962,6 +962,8 @@ public function install_ispconfig()
962962
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
963963
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
964964
}
965+
966+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
965967

966968
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
967969
// and must be fixed as this will allow the apache user to read the ispconfig files.

install/dist/lib/opensuse.lib.php

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1131,6 +1131,13 @@ public function install_ispconfig()
11311131
exec("chmod 600 $install_dir/server/lib/mysql_clientdb.conf");
11321132
exec("chown root:root $install_dir/server/lib/mysql_clientdb.conf");
11331133
}
1134+
1135+
if(is_dir($install_dir.'/interface/invoices')) {
1136+
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
1137+
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
1138+
}
1139+
1140+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
11341141

11351142
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
11361143
// and must be fixed as this will allow the apache user to read the ispconfig files.

install/lib/installer_base.lib.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1716,6 +1716,8 @@ public function make_ispconfig_ssl_cert() {
17161716
exec("openssl rsa -passin pass:$ssl_pw -in $ssl_key_file -out $ssl_key_file.insecure");
17171717
rename($ssl_key_file, $ssl_key_file.'.secure');
17181718
rename($ssl_key_file.'.insecure', $ssl_key_file);
1719+
1720+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
17191721

17201722
}
17211723

@@ -1994,6 +1996,8 @@ public function install_ispconfig() {
19941996
exec('chmod -R 770 '.escapeshellarg($install_dir.'/interface/invoices'));
19951997
exec('chown -R ispconfig:ispconfig '.escapeshellarg($install_dir.'/interface/invoices'));
19961998
}
1999+
2000+
exec('chown -R root:root /usr/local/ispconfig/interface/ssl');
19972001

19982002
// TODO: FIXME: add the www-data user to the ispconfig group. This is just for testing
19992003
// and must be fixed as this will allow the apache user to read the ispconfig files.

install/tpl/debian_postfix.conf.master

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -32,4 +32,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
3232
body_checks = regexp:{config_dir}/body_checks
3333
owner_request_special = no
3434
smtp_tls_security_level = may
35-
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
35+
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
36+
smtpd_tls_protocols = !SSLv2,!SSLv3
37+
smtp_tls_protocols = !SSLv2,!SSLv3

install/tpl/fedora_postfix.conf.master

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,4 +29,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
2929
body_checks = regexp:{config_dir}/body_checks
3030
inet_interfaces = all
3131
smtp_tls_security_level = may
32-
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
32+
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
33+
smtpd_tls_protocols = !SSLv2,!SSLv3
34+
smtp_tls_protocols = !SSLv2,!SSLv3

install/tpl/gentoo_postfix.conf.master

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,4 +29,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
2929
body_checks = regexp:{config_dir}/body_checks
3030
inet_interfaces = all
3131
smtp_tls_security_level = may
32-
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
32+
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
33+
smtpd_tls_protocols = !SSLv2,!SSLv3
34+
smtp_tls_protocols = !SSLv2,!SSLv3

install/tpl/opensuse_postfix.conf.master

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,6 @@ nested_header_checks = regexp:{config_dir}/nested_header_checks
3131
body_checks = regexp:{config_dir}/body_checks
3232
inet_interfaces = all
3333
smtp_tls_security_level = may
34-
smtpd_tls_mandatory_protocols=!SSLv2, !SSLv3
34+
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
35+
smtpd_tls_protocols = !SSLv2,!SSLv3
36+
smtp_tls_protocols = !SSLv2,!SSLv3

0 commit comments

Comments
 (0)