[Buildroot] [PATCH 10/11 v5] package/freerdp: install server key and certificate
Yann E. MORIN
yann.morin.1998 at free.fr
Sun Feb 22 14:01:25 UTC 2015
Thomas, All,
On 2015-02-22 14:45 +0100, Thomas Petazzoni spake thusly:
> On Sun, 22 Feb 2015 14:16:23 +0100, Yann E. MORIN wrote:
>
> > Yup, I forgot it.
> >
> > But now I wonder what those should be: 0644 or 0600 ?
>
> I was also unsure, and that's why I decided to not add the '-m' myself,
> and open up the discussion. Is it problematic if a non-root user has
> access to this key and certificate?
Well, I don't think so. am not 100% sure about this either.
However, know that those key and cert are already highly public: they
*are* in the FreeRDP repository (i.e. they are not generated at build
time).
So, there is no real security concern about that pair, and I would be
tempted to leave them at 0644.
However, I believe the user should be responsible about providing their
own set of key+cert (and thus set the appropriate permissions on them).
I said in the help text of Weston:
By default, Buildroot installs such files in /etc/freerdp/server/
so you may want to change them in a post-build script or a rootfs
overlay.
So, thanks to your comment, I noticed a few issues, now:
- the key+cert are only installed when FreeRDP server is installed,
so we're missing them when onlt the lib is installed. Damn smartin
who made me change to that situation! :-]
- the comment about the keys should be moved to the FreeRDP option.
I'll provide follow-up patches soon.
Regards,
Yann E. MORIN.
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 223 225 172 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list