* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159
@ 2017-11-28 14:15 git
0 siblings, 0 replies; only message in thread
From: git @ 2017-11-28 14:15 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 3555 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159 (commit)
via d4092860749a2425a400129cd50cd14d7875c5e2 (commit)
from b5aca95b9401ba610fad2f8bcb9b4862f98a4969 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Nov 28 14:14:16 2017 +0000
apache: Wait until apache has stopped when we want to stop it
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d4092860749a2425a400129cd50cd14d7875c5e2
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Tue Nov 7 20:30:52 2017 +0000
apache: Ensure that not everyone can read the keys
This would become a security risk if anyone gets
shell access as any user to copy out the HTTPS keys.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/rootfiles/core/117/filelists/files | 1 +
config/rootfiles/core/117/update.sh | 5 +++++
src/initscripts/system/apache | 4 +++-
3 files changed, 9 insertions(+), 1 deletion(-)
Difference in files:
diff --git a/config/rootfiles/core/117/filelists/files b/config/rootfiles/core/117/filelists/files
index a29d9ac..d7513c1 100644
--- a/config/rootfiles/core/117/filelists/files
+++ b/config/rootfiles/core/117/filelists/files
@@ -1,6 +1,7 @@
etc/system-release
etc/issue
etc/httpd/conf/vhosts.d/ipfire-interface-ssl.conf
+etc/rc.d/init.d/apache
etc/ssl/certs/ca-bundle.crt
etc/ssl/certs/ca-bundle.trust.crt
opt/pakfire/lib/functions.pl
diff --git a/config/rootfiles/core/117/update.sh b/config/rootfiles/core/117/update.sh
index 816f7f1..51f40d9 100644
--- a/config/rootfiles/core/117/update.sh
+++ b/config/rootfiles/core/117/update.sh
@@ -39,6 +39,11 @@ extract_files
# update linker config
ldconfig
+# Make apache keys not readable for everyone
+chmod 600 \
+ /etc/httpd/server.key \
+ /etc/httpd/server-ecdsa.key
+
# Update Language cache
#/usr/local/bin/update-lang-cache
diff --git a/src/initscripts/system/apache b/src/initscripts/system/apache
index 541141e..f2a9fb8 100644
--- a/src/initscripts/system/apache
+++ b/src/initscripts/system/apache
@@ -11,6 +11,7 @@ generate_certificates() {
if [ ! -f "/etc/httpd/server.key" ]; then
boot_mesg "Generating HTTPS RSA server key (this will take a moment)..."
openssl genrsa -out /etc/httpd/server.key 4096 &>/dev/null
+ chmod 600 /etc/httpd/server.key
evaluate_retval
fi
@@ -18,6 +19,7 @@ generate_certificates() {
boot_mesg "Generating HTTPS ECDSA server key..."
openssl ecparam -genkey -name secp384r1 -noout \
-out /etc/httpd/server-ecdsa.key &>/dev/null
+ chmod 600 /etc/httpd/server-ecdsa.key
evaluate_retval
fi
@@ -66,7 +68,7 @@ case "$1" in
stop)
boot_mesg "Stopping Apache daemon..."
- /usr/sbin/apachectl -k stop
+ killproc /usr/sbin/httpd
evaluate_retval
;;
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-11-28 14:15 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-28 14:15 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 11e900e0b4f4d1c67ab145ffa2f130c8d6e34159 git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox