3

I stumbled across the directory /etc/ssl/private on Ubuntu (12.04), it has following permission:

drwx--x---   2 root ssl-cert  4096  7月  8  2012 private/

I wonder what does this mean for group ssl-cert? And why is it set this way?

Pellaeon Lin
  • 33

1 Answers1

2

Having execute permission on a directory is required in order to read the inodes of the files within that directory.

Within that directory is a single file, ssl-cert-snakeoil.key, which has read permission only for the ssl-cert group (and root). So this combination of permissions is the most minimal permission set that would allow a member of the ssl-cert group to access the file.

Restricting access to this file is important because it contains the private key for any services you run that make use of SSL. The idea is that only users (which in this case would correspond to services, e.g. the apache user) that require access to the key are members of this group. All other users are forbidden. The private key needs to stay secret to guarantee that you are who you say you are when a client establishes an encrypted connection to your service.

ire_and_curses
  • 12,362
  • I see. As a supplement, I found out that ssl-cert group is disallowed from listing the directory. – Pellaeon Lin Jan 17 '13 at 02:44
  • 1
    @Pellaeon Lin - Yes. Listing a directory requires read permission, which isn't present here. But there's no need to list a directory if you already know the name of the file (further evidence, if any were needed, that this is intended for programmatic access, not interactive). – ire_and_curses Jan 17 '13 at 02:47
  • @Pellaeon Lin - If you're interested in learning more about the permissions model, I highly recommend the reference quoted in this answer. – ire_and_curses Jan 17 '13 at 03:01
  • The explanation in the reference is pretty clear, thanks! – Pellaeon Lin Jan 17 '13 at 03:08