[arch-general] Why are CA certifcates writable for every user?

David Rosenstrauch darose at darose.net
Thu Feb 5 19:15:23 UTC 2015


Symlinks often (always?) show as 777 permissions.  If you look at the 
actual file that it links to, you'll see the permissions are fine:

[darose at daroseneo ~]$ ls -l 
/etc/ca-certificates/extracted/cadir/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem 

-r--r--r-- 1 root root 1602 Dec 22 09:54 
/etc/ca-certificates/extracted/cadir/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem

DR

On 02/05/2015 02:12 PM, Marcel Kleinfeller wrote:
> Hello!
>
> When I'm doing "cd /etc/ssl/certs/ && ls -al" I see something like this:
>
> [...]
> lrwxrwxrwx 1 root root    102 21. Dez 17:56
> Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem ->
> ../../ca-certificates/extracted/cadir/Verisign_Class_1_Public_Primary_Certification_Authority_-_G3.pem
>
> [...]
>
> All certificates are publicly writable.
>
> I never set chmod to 777 on this directory and I see a great security
> lack here.
> Any program could inject its own certificate there, you should know this
> isn't good ;)
>
> Tell me whether this is just an issue on my own system or a general issue.
>
> Marcel Kleinfeller <marcel at oompf.de>


More information about the arch-general mailing list