nixos/taskserver: Constrain server cert perms
It doesn't do much harm to make the server certificate world readable, because even though it's not accessible anymore via the file system, someone can still get it by simply doing a TLS handshake with the server. So this is solely for consistency. Signed-off-by: aszlig <aszlig@redmoonstudios.org>
This commit is contained in:
parent
6e10705754
commit
d0ab617974
|
@ -388,9 +388,13 @@ in {
|
|||
--load-privkey "${cfg.dataDir}/keys/server.key" \
|
||||
--outfile "${cfg.dataDir}/keys/server.cert"
|
||||
|
||||
chgrp "${cfg.group}" "${cfg.dataDir}/keys/server.key"
|
||||
chmod g+r "${cfg.dataDir}/keys/server.key"
|
||||
chmod a+r "${cfg.dataDir}/keys/server.cert"
|
||||
chgrp "${cfg.group}" \
|
||||
"${cfg.dataDir}/keys/server.key" \
|
||||
"${cfg.dataDir}/keys/server.cert"
|
||||
|
||||
chmod g+r \
|
||||
"${cfg.dataDir}/keys/server.key" \
|
||||
"${cfg.dataDir}/keys/server.cert"
|
||||
fi
|
||||
|
||||
chmod go+x "${cfg.dataDir}/keys"
|
||||
|
|
Loading…
Reference in New Issue