Discussion:
key / crt permissions constantly
(too old to reply)
none
2024-07-29 10:55:00 UTC
Permalink
I don't really get why I am confronted with sendmail thinking it knows
better how I should put permissions on my key and crt files.

Why do I even get this error, while the permissions are just fine

file /home/acme/test.cer unsafe: Permission denied

-rw-r-----+ 1 acme acme 1972 Jul 29 00:10 test.cer
and
-rw-r--r--+ 1 acme acme 1972 Jul 29 00:10 test.cer
and
-rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer

Besides that, who cares about certs, these are even distributed unsecurly.

How can I turn of any permissions checks on key/crt files

(I already have this
define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )
Marco Moock
2024-07-29 12:10:35 UTC
Permalink
Post by none
I don't really get why I am confronted with sendmail thinking it
knows better how I should put permissions on my key and crt files.
Sometimes users have default permissions of o+r, which means other
users on the system can read the stuff. For key files, this is really,
really bad, so sendmail warns you.

What is the message you receive in your case here?
Doesn't the confDONT_BLAME_SENDMAIL stop emitting that error?
--
kind regards
Marco

Send spam to ***@cartoonies.org
none
2024-07-29 13:28:07 UTC
Permalink
Post by Marco Moock
Post by none
I don't really get why I am confronted with sendmail thinking it
knows better how I should put permissions on my key and crt files.
Sometimes users have default permissions of o+r, which means other
users on the system can read the stuff. For key files, this is really,
really bad, so sendmail warns you.
What is the message you receive in your case here?
Doesn't the confDONT_BLAME_SENDMAIL stop emitting that error?
If I search on this, I only find this argument are there more options I
can give it? I assume from this option name that it is only related to
key files.
define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
Marco Moock
2024-07-29 15:31:09 UTC
Permalink
Post by none
If I search on this, I only find this argument are there more options
I can give it? I assume from this option name that it is only related
to key files.
define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')

Dunno if that is case-sensitive, maybe check that.
--
kind regards
Marco

Send spam to ***@cartoonies.org
Claus Aßmann
2024-07-29 16:37:42 UTC
Permalink
Post by Marco Moock
define(`confDONT_BLAME_SENDMAIL', `GroupReadableKeyFile')
Dunno if that is case-sensitive, maybe check that.
(currently) it's not (grep GroupReadableKeyFile *.[ch] won't
even find a match in the source code).
HQuest
2024-07-29 15:26:21 UTC
Permalink
Post by Marco Moock
Sometimes users have default permissions of o+r, which means other
users on the system can read the stuff. For key files, this is really,
really bad, so sendmail warns you.
Might be bad but this is also a problem when you have multiple daemons
running under different users/groups and they share one single
certificate and key, hence the reason for a o+r file. Sure, one can copy
those files everywhere on the filesystem and set up their permissions to
fit the application, but is this copy everywhere really the best
alternative?
none
2024-07-29 17:58:59 UTC
Permalink
Post by Marco Moock
Post by none
I don't really get why I am confronted with sendmail thinking it
knows better how I should put permissions on my key and crt files.
Sometimes users have default permissions of o+r, which means other
users on the system can read the stuff. For key files, this is really,
really bad, so sendmail warns you.
Currently it is about the cert, which everyone can download remotely.

If it was a warning I would not care, currently it stops using tls/ssl
(a bit older sendmail instance, still need to update this distro)
Claus Aßmann
2024-07-29 17:51:22 UTC
Permalink
Post by none
-rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer
Do you use that file as
KeyFile
File containing the private key for the certificate.
Post by none
Besides that, who cares about certs, these are even distributed unsecurly.
The error isn't about a cert, it's about "the private key".
Post by none
(I already have this
define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )
A "private key" shouldn't be readable by everyone.

If you need to "share" a private key between instances,
use group permissions.
--
Note: please read the netiquette before posting. I will almost never
reply to top-postings which include a full copy of the previous
article(s) at the end because it's annoying, shows that the poster
is too lazy to trim his article, and it's wasting the time of all readers.
none
2024-07-29 19:29:17 UTC
Permalink
Post by Claus Aßmann
Post by none
-rw-r--r--+ 1 acme root 1972 Jul 29 00:10 test.cer
Do you use that file as
KeyFile
File containing the private key for the certificate.
No is also the certificate (unless that changed in recent versions)
Post by Claus Aßmann
Post by none
Besides that, who cares about certs, these are even distributed unsecurly.
The error isn't about a cert, it's about "the private key".
No because I was only changing permissions on the cert (unless it is
changed in newer distros) But I think I saw this behaviour also on
newer. Basically I can imagine maybe giving a warning on the key being
o+r but that also depends on parent dirs.
I also don't get why the owner needs to be root.
Post by Claus Aßmann
Post by none
(I already have this
define(`confDONT_BLAME_SENDMAIL', `groupreadablekeyfile')dnl )
A "private key" shouldn't be readable by everyone.
My private key and cert are separate files.
Post by Claus Aßmann
If you need to "share" a private key between instances,
use group permissions.
Sendmail is reading keys/certs as root not? Before it drops privileges.

Anyway I prefer to see something where it is guaranteed that key and
cert are loaded and used no matter what. I don't think it is any
applications business to force how permissions are set on key/crt files.
Claus Aßmann
2024-07-30 07:12:36 UTC
Permalink
Post by none
No is also the certificate (unless that changed in recent versions)
It's time to get some real information...
What are the settings in your .cf file?

egrep -i '^O *[^ ]*(Cert|Key)File' /etc/mail/*cf
none
2024-07-31 20:47:21 UTC
Permalink
egrep -i '^O *[^ ]*(Cert|Key)File'/etc/mail/*cf
/etc/mail/sendmail.cf:O DontBlameSendmail=groupreadablekeyfile
/etc/mail/sendmail.cf:O CACertFile=/etc/pki/tls/certs/ca-bundle.crt
/etc/mail/sendmail.cf:O ServerCertFile=/home/acme/......cer
/etc/mail/sendmail.cf:O ServerKeyFile=/home/acme/.......key
Claus Aßmann
2024-08-01 06:31:14 UTC
Permalink
Post by none
file /home/acme/test.cer unsafe: Permission denied
Which command triggers this error?
Please show the full command and the full logfile entry.
What are the permission/owner/group of the involved directories
( / /home /home/acme )?
none
2024-08-01 09:32:39 UTC
Permalink
Post by Claus Aßmann
Post by none
file /home/acme/test.cer unsafe: Permission denied
Which command triggers this error?
Please show the full command and the full logfile entry.
What are the permission/owner/group of the involved directories
( / /home /home/acme )?
I think I should do this again with an el9 version, I don't want to
waste anyone's time on details with something old.

I was more thinking about a general topic where users can just turn
these checks of and have sendmail just trust the groups / acls that it
has been given.
I don't think I have seen these checks with eg apache. This is more like
a design question, wether or not this is the responsibility of the
application or user.
Even if you have o+w files, if they are in a parent folder with o-rwx it
does not really matter.

Loading...