This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".

The branch, next has been updated via 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159 (commit) via d4092860749a2425a400129cd50cd14d7875c5e2 (commit) from b5aca95b9401ba610fad2f8bcb9b4862f98a4969 (commit)

Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.

- Log ----------------------------------------------------------------- commit 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 28 14:14:16 2017 +0000

apache: Wait until apache has stopped when we want to stop it

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

commit d4092860749a2425a400129cd50cd14d7875c5e2 Author: Michael Tremer michael.tremer@ipfire.org Date: Tue Nov 7 20:30:52 2017 +0000

apache: Ensure that not everyone can read the keys

This would become a security risk if anyone gets shell access as any user to copy out the HTTPS keys.

Signed-off-by: Michael Tremer michael.tremer@ipfire.org

-----------------------------------------------------------------------

Summary of changes: config/rootfiles/core/117/filelists/files | 1 + config/rootfiles/core/117/update.sh | 5 +++++ src/initscripts/system/apache | 4 +++- 3 files changed, 9 insertions(+), 1 deletion(-)

Difference in files: diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files index a29d9ac..d7513c1 100644 --- a/config/rootfiles/core/117/filelists/files +++ b/config/rootfiles/core/117/filelists/files @@ -1,6 +1,7 @@ etc/system-release etc/issue etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf +etc/rc.d/init.d/apache etc/ssl/certs/ca-bundle.crt etc/ssl/certs/ca-bundle.trust.crt opt/pakfire/lib/functions.pl diff --git a/config/rootfiles/core/117/update.sh b/config/rootfiles/core/117/update.sh index 816f7f1..51f40d9 100644 --- a/config/rootfiles/core/117/update.sh +++ b/config/rootfiles/core/117/update.sh @@ -39,6 +39,11 @@ extract_files # update linker config ldconfig

+# Make apache keys not readable for everyone +chmod 600 \ + /etc/httpd/server.key \ + /etc/httpd/server-ecdsa.key + # Update Language cache #/usr/local/bin/update-lang-cache

diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache index 541141e..f2a9fb8 100644 --- a/src/initscripts/system/apache +++ b/src/initscripts/system/apache @@ -11,6 +11,7 @@ generate_certificates() { if [ ! -f "/etc/httpd/server.key" ]; then boot_mesg "Generating HTTPS RSA server key (this will take a moment)..." openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null + chmod 600 /etc/httpd/server.key evaluate_retval fi

@@ -18,6 +19,7 @@ generate_certificates() { boot_mesg "Generating HTTPS ECDSA server key..." openssl ecparam -genkey -name secp384r1 -noout \ -out /etc/httpd/server-ecdsa.key &>/dev/null + chmod 600 /etc/httpd/server-ecdsa.key evaluate_retval fi

@@ -66,7 +68,7 @@ case "$1" in

stop) boot_mesg "Stopping Apache daemon..." - /usr/sbin/apachectl -k stop + killproc /usr/sbin/httpd evaluate_retval ;;

hooks/post-receive -- IPFire 2.x development tree