Merge pull request #68 from mkropat/protect-key

Protect private key from being world-readable
2014-06-07 20:19:40 -04:00 · 2014-06-07 20:19:40 -04:00 · ca34c1b1ae
parent 3fa8e384d4 42bf624045
commit ca34c1b1ae
1 changed files with 3 additions and 2 deletions
--- a/setup/mail.sh
+++ b/setup/mail.sh
@ -221,7 +221,8 @@ tools/editconf.py /etc/dovecot/conf.d/10-ssl.conf \
 mkdir -p $STORAGE_ROOT/ssl
 if [ ! -f $STORAGE_ROOT/ssl/ssl_certificate.pem ]; then
 	# Generate a new private key if one doesn't already exist.
-	openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048
+	# Set the umask so the key file is not world-readable.
+	(umask 077; openssl genrsa -out $STORAGE_ROOT/ssl/ssl_private_key.pem 2048)
 fi
 if [ ! -f $STORAGE_ROOT/ssl/ssl_cert_sign_req.csr ]; then
 	# Generate a certificate signing request if one doesn't already exist.