nixos/taskserver: Constrain server cert perms

It doesn't do much harm to make the server certificate world readable,
because even though it's not accessible anymore via the file system,
someone can still get it by simply doing a TLS handshake with the
server.

So this is solely for consistency.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
aszlig 2016-04-11 22:59:30 +02:00
parent 6e10705754
commit d0ab617974
No known key found for this signature in database
GPG Key ID: D0EBD0EC8C2DC961
1 changed files with 7 additions and 3 deletions

View File

@ -388,9 +388,13 @@ in {
--load-privkey "${cfg.dataDir}/keys/server.key" \
--outfile "${cfg.dataDir}/keys/server.cert"
chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.key"
chmod g+r "${cfg.dataDir}/keys/server.key"
chmod a+r "${cfg.dataDir}/keys/server.cert"
chgrp "${cfg.group}" \
"${cfg.dataDir}/keys/server.key" \
"${cfg.dataDir}/keys/server.cert"
chmod g+r \
"${cfg.dataDir}/keys/server.key" \
"${cfg.dataDir}/keys/server.cert"
fi
chmod go+x "${cfg.dataDir}/keys"