0

I am running Cyrus at a Debian 7 system. I want to increase security by only allowing specific services the access to the SSL private keys.

I created a group "ssl" which contains the users mysql,postfix and cyrus .

The process cyrus seems to run as user cyrus:

$ ps aux | grep cyrus
cyrus     1294  0.0  0.0 126256  8112 ?        S    16:23   0:00 imapd -s -U 30
cyrus     1695  0.0  0.0  57036  3544 ?        Ss   Nov20   0:03 /usr/sbin/cyrmaster -d
cyrus     3656  0.0  0.0  83708  2408 ?        S    Nov20   0:00 notifyd
root     10779  0.0  0.0  11540   892 pts/1    S+   21:12   0:00 grep cyrus

The private.key has chmod 640 and chown root:ssl . It is not encrypted.

The certificate.pem has chmod 640 and chown root:root .

When is run su cyrus, I am able to read the private.key file, so the permissions should be OK.

When I try to to use my IMAP mailbox, cyrus reports that it does not have access to the private key:

$tail /var/log/syslog
Nov 21 20:13:47 debian cyrus/imaps[20647]: unable to get private key from '/daten/ssl/xxx/private.key'
Nov 21 20:13:47 debian cyrus/imaps[20647]: TLS server engine: cannot load cert/key data, may be a cert/key mismatch?
Nov 21 20:13:47 debian cyrus/imaps[20647]: error initializing TLS
Nov 21 20:13:47 debian cyrus/imaps[20647]: Fatal error: tls_init() failed

A relevant part of /etc/imapd.conf :

tls_cert_file: /daten/ssl/xxx/certificate.pem
tls_key_file: /daten/ssl/xxx/private.key

tls_ca_file: /daten/ssl/ca/startcom/startcom.sub.class1.server.ca.crt
tls_ca_path: /daten/ssl/ca/startcom

When I change the chmod of private.key back to 644, it does work. Setting it to 640, and it doesn't work anymore.

What can I do to make cyrus work? Why doesn't the process running as cyrus get access to the private.key?

Daniel Marschall
  • 785
  • 4
  • 8
  • 19
  • What's the path that it's configured to read the key from? `'/.../private.key'` seems odd.. Also: is the key encrypted, and is the cert in the same file or a different file that the key? – Shane Madden Nov 21 '14 at 20:31
  • "..." was just to censor my directory structure, since it doesn't matter to the problem. The key is not encrypted. The certificate is provided in the same directory and has chown root:root and chmod 644. When I change chmod of the private.key to 644, it works. 640 and it doesn't work. I don't know why, and I don't know why people keep downvoting me. It is a normal question and I did research. – Daniel Marschall Nov 21 '14 at 20:34
  • @rinntech I wonder if it might be running as a different user when it's reading the key? Is SELinux enforcing? – Shane Madden Nov 21 '14 at 20:45
  • @ShaneMadden I wonder that too. There seems to be no log which logs failed accesses. When I was looking in the `/etc/passwd` file, I didn't find users which might be cyrus/mail-relevant. SELinux is not enforced. ACLs are enforced at a few locations, but not in this specific directory. – Daniel Marschall Nov 21 '14 at 20:49
  • @rinntech Hmm, interesting - how about running `strace` on the cyrus process and watching for when it's trying to open that file? That should give us something to work with. – Shane Madden Nov 21 '14 at 20:56
  • 1
    Thanks for your comments. I got it working by a very unusual attempt. `/daten/ssl` is a symlink (world-readable and world-executable) to `/etc/apache2/ssl` . If I change in `iampd.conf` the path `/daten/ssl` to `/etc/apache2/ssl` , it works with private.key chmod'd to 640. -- It seems to be a bug in Cyrus, since the access at system-level does work. After I switched to the user Cyrus using `su cyrus`, I can run `cat /daten/ssl/xxx/private.key` without problems. What do think, is this a bug? Since private.key with chmod 644 could be read from `/daten/ssl`, the symlink resolution seems to be OK. – Daniel Marschall Nov 21 '14 at 21:20
  • 1
    Oh, nice find! That does sound like a bug, though I can't imagine how permissions on the file plus the fact that there's a symlink in the path are combining to cause the problem.. if you're up for it, maybe try some different simplified cases (symlink in the same directory, simplified file structure, check what it's doing in the `strace`) to try to pin it down. Even if you don't track it down, feel free to post an answer, so future searchers running into the same thing will see what you found easily. – Shane Madden Nov 21 '14 at 21:43

0 Answers0