permission check on SSL key is too strict

Issue #984 resolved
Joseph Nahmias created an issue

Hello, I have my SSL private key set up so that it is owned by root:ssl-cert and permissions 0640. This allows it to be used by others services on the machine which may run as non-root users for security – but still need access to the key. However, monit rejects using this file with the message The SSL server private key PEM file 'privkey.pem' permission 0640 is wrong, maximum 0700 allowed.

Looks like this comes from src/p.y line #1060 and line #1066 where it looks for S_IRWXU. Changing this to (S_IRWXU | S_IRGRP | S_IXGRP ) looks like it should resolve the issue. Would it help if I prepared a PR for this?

Comments (2)

  1. Joseph Nahmias reporter

    Actually, since a CLA is required, probablye easier & better if someone else makes the commit.

  2. Tildeslash repo owner

    Fixed: Issue #984: The permission check of the SSL PEM key file allows also group permissions now (originally monit enforced that the file is readable only by the owner).

    → <<cset 489b2a9b03ec>>

  3. Log in to comment