openvpn: minimal rights on /etc/shellpki/ and crl.pem

CHANGELOG.md

@@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Changed
 
+* openvpn: minimal rights on /etc/shellpki/ and crl.pem
+
 ### Fixed
 
 * evolinux-base: Update PermitRootLogin task to work on Debian 11

openvpn/tasks/debian.yml

@@ -74,8 +74,8 @@
     insertafter: "{{ item.insertafter }}"
     line: "{{ item.line }}"
   with_items:
-     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
-     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }
+     - { regexp: '^    chmod 604 /etc/shellpki/crl.pem$', line: "    chmod 604 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
+     - { regexp: '^    chmod 751 /etc/shellpki/$', line: "    chmod 751 /etc/shellpki/", insertafter: '^    chmod 604 /etc/shellpki/crl.pem$' }
 
 - name: Deploy OpenVPN server config
   template:

openvpn/tasks/openbsd.yml

@@ -65,8 +65,8 @@
     insertafter: "{{ item.insertafter }}"
     line: "{{ item.line }}"
   with_items:
-     - { regexp: '^    chmod 644 /etc/shellpki/crl.pem$', line: "    chmod 644 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
-     - { regexp: '^    chmod 755 /etc/shellpki/$', line: "    chmod 755 /etc/shellpki/", insertafter: '^    chmod 644 /etc/shellpki/crl.pem$' }
+     - { regexp: '^    chmod 604 /etc/shellpki/crl.pem$', line: "    chmod 604 /etc/shellpki/crl.pem", insertafter: '^    chmod 640 "\${CACERT}"$' }
+     - { regexp: '^    chmod 751 /etc/shellpki/$', line: "    chmod 751 /etc/shellpki/", insertafter: '^    chmod 604 /etc/shellpki/crl.pem$' }
 
 - name: Deploy OpenVPN server config
   template: