permission check on SSL key is too strict

Issue #984 resolved
Joseph Nahmias created an issue

Hello, I have my SSL private key set up so that it is owned by root:ssl-cert and permissions 0640. This allows it to be used by others services on the machine which may run as non-root users for security – but still need access to the key. However, monit rejects using this file with the message The SSL server private key PEM file 'privkey.pem' permission 0640 is wrong, maximum 0700 allowed.

Looks like this comes from src/p.y line #1060 and line #1066 where it looks for S_IRWXU. Changing this to (S_IRWXU | S_IRGRP | S_IXGRP ) looks like it should resolve the issue. Would it help if I prepared a PR for this?

Comments (4)

  1. Joseph Nahmias reporter

    Actually, since a CLA is required, probablye easier & better if someone else makes the commit.

  2. Tildeslash repo owner

    Fixed: Issue #984: The permission check of the SSL PEM key file allows also group permissions now (originally monit enforced that the file is readable only by the owner).

    → <<cset 489b2a9b03ec>>

  3. Rob Bates

    Came across this issue while trying to get Monit to use cPanel auto generated ssl certs, the pem file is owned byt the user/goup “cpanel:cpanel” however, monit is running as root so it can read the file

    The SSL server PEM file '/var/cpanel/ssl/cpanel/mycpanel.pem' must be owned by you.
    /etc/monitrc:170: SSL server PEM file permissions check failed 'set'

  4. Lutz Mader

    Hello Rob Bates,
    Yes, "root" ist authorised to read the file, but is not the owner.

    You should change the owner to the right user, the user used to start monit, and every thing works well.

    A suggestion only,
    Lutz

    p.s.

    This is the behaviour lots of application handle key or certificate files and also of monit. The fix for issue #904 allows group permissions also only.

  5. Log in to comment