From 4341f519f14542dd03aed458ee365b1a4621b51c Mon Sep 17 00:00:00 2001 From: neil Date: Mon, 15 May 2017 19:43:03 +0800 Subject: [PATCH] Updated how about the private key access modes, chmod, or chown or umask (markdown) --- ...e-private-key-access-modes,--chmod,-or-chown-or-umask.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask.md b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask.md index a60a7764..e208b428 100644 --- a/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask.md +++ b/how-about-the-private-key-access-modes,--chmod,-or-chown-or-umask.md @@ -10,9 +10,9 @@ Ok, let me give a longer answer: 2. When you use `--install-cert` command to **copy** the cert to the target locations, we use `cat keyfile > target_key_file` pattern, in which the target file permission is not changed, and you only need **write** permission to the target file. Yes, if the target file doesn't exist for the first time, it will be created with your default *umask*, which is **umask 022** in most of the unix/linux systems. In this case, somebody else *may* read your private key file. But you can change the file mode manually, `chmod 700 target_key_file`. The reason why we don't change the file mode is: - 1. `chmod` may have different support crossing different platforms. - 2. We respect the users choice most. We trust you more than ourselves. you can change the file modes manually, you know your system best. We respect your choice. - 3. There may cause problems if running as root, for example, when running as root, and we default to change the mode to `700` for the private key file, the apache server is commonly running as user `www-data`, it can not read your private key. nginx server has the same problem. Which could cause the normal uses confused. + 1. `chmod` may have different support crossing different platforms. + 2. We respect the users choice most. We trust you more than ourselves. you can change the file modes manually, you know your system best. We respect your choice. + 3. There may cause problems if running as root, for example, when running as root, and we default to change the mode to `700` for the private key file, the apache server is commonly running as user `www-data`, it can not read your private key. nginx server has the same problem. Which could cause the normal uses confused. So, doing more doesn't mean doing better. Less is more.