Browse Source
make sure the private key is never world-readable
1. Set the private to chmod 0600 on creation.
2. Avoid possible race condition by setting the private
key backup to 0600 _first_ and then saving the key.
3. Reset existing backup key to chmod 0600 before
saving the new key.
Viktor Szakats
6 years ago
GPG Key ID:
1 changed files with
5 additions and
1 deletions
acme.sh
@ -1076,6 +1076,8 @@ _createkey() {
fi fi
fi fi
chmod 600 " $f "
if _isEccKey " $length " ; then if _isEccKey " $length " ; then
_debug " Using ec name: $eccname " _debug " Using ec name: $eccname "
if _opkey = " $( ${ ACME_OPENSSL_BIN :- openssl } ecparam -name " $eccname " -genkey 2>/dev/null) " ; then if _opkey = " $( ${ ACME_OPENSSL_BIN :- openssl } ecparam -name " $eccname " -genkey 2>/dev/null) " ; then
@ -5265,10 +5267,12 @@ _installcert() {
cp " $_real_key " " $_backup_path /key.bak " cp " $_real_key " " $_backup_path /key.bak "
fi fi
if [ -f " $_real_key " ] ; then if [ -f " $_real_key " ] ; then
chmod 600 " $_real_key "
cat " $CERT_KEY_PATH " >" $_real_key " || return 1 cat " $CERT_KEY_PATH " >" $_real_key " || return 1
else else
cat " $CERT_KEY_PATH " > " $_real_key " || return 1
touch " $_real_key "
chmod 600 " $_real_key " chmod 600 " $_real_key "
cat " $CERT_KEY_PATH " >" $_real_key " || return 1
fi fi
fi fi
Viktor Szakats
6 years ago