Best Practices for private key files handling

[Shawn Heisey]

On 9/15/22 15:40, Philip Prindeville wrote:
> I was thinking of the case where the directory containing the keys (as configured) is correctly owned, but contains a symlink pointing outside of that directory somewhere else... say to a file owned by an ordinary user.
>
> In that case, as has been pointed out, it might be sufficient to just pay attention to the owner/group/modes of the file and reject them if:
>
> (1) the file isn't 600 or 400;
> (2) the file isn't owned by root or the app-id that the app runs at.
>
> Do we agree on that?

Yes, that sounds very good.

That's the potential problem with symlinks.  Rarely should they ever 
point to something that is under the control of an unprivileged user.  
Exceptions might be in cases where you actually do want a configuration 
for that user to come from a directory that they control ... but that 
should only be done in situations where that input is considered 
untrusted and is stringently validated and sanitized before it is used.

If symlinks are used responsibly, they won't have security risks. In 
general, if the program checks the ownership and permissions of the 
actual file before using it, it shouldn't matter whether there is a 
symlink or not.

Thanks,
Shawn