diff --git a/CHANGELOG.md b/CHANGELOG.md index c280565b..ea992fc6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,8 @@ The **patch** part changes is incremented if multiple releases happen the same m ### Changed +* openvpn: minimal rights on /etc/shellpki/ and crl.pem + ### Fixed * evolinux-base: Update PermitRootLogin task to work on Debian 11 diff --git a/openvpn/tasks/debian.yml b/openvpn/tasks/debian.yml index 3ace1f4c..8a9978d9 100644 --- a/openvpn/tasks/debian.yml +++ b/openvpn/tasks/debian.yml @@ -74,8 +74,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: diff --git a/openvpn/tasks/openbsd.yml b/openvpn/tasks/openbsd.yml index 18cd0156..d3238cea 100644 --- a/openvpn/tasks/openbsd.yml +++ b/openvpn/tasks/openbsd.yml @@ -65,8 +65,8 @@ insertafter: "{{ item.insertafter }}" line: "{{ item.line }}" with_items: - - { regexp: '^ chmod 644 /etc/shellpki/crl.pem$', line: " chmod 644 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } - - { regexp: '^ chmod 755 /etc/shellpki/$', line: " chmod 755 /etc/shellpki/", insertafter: '^ chmod 644 /etc/shellpki/crl.pem$' } + - { regexp: '^ chmod 604 /etc/shellpki/crl.pem$', line: " chmod 604 /etc/shellpki/crl.pem", insertafter: '^ chmod 640 "\${CACERT}"$' } + - { regexp: '^ chmod 751 /etc/shellpki/$', line: " chmod 751 /etc/shellpki/", insertafter: '^ chmod 604 /etc/shellpki/crl.pem$' } - name: Deploy OpenVPN server config template: