Best Practices for private key files handling

Carson Gaspar carson at
Thu Sep 15 22:31:30 UTC 2022

On 9/15/2022 3:15 PM, Shawn Heisey via openssl-users wrote:
> If symlinks are used responsibly, they won't have security risks. In 
> general, if the program checks the ownership and permissions of the 
> actual file before using it, it shouldn't matter whether there is a 
> symlink or not.

As long as by "before using it" you mean after opening it and checking 
via fstat(). Otherwise you have a race between your check and open().

More information about the openssl-users mailing list