2

I just found this error in my server logs

May 17 14:55:07 marcus dkimproxy.out[1005]: signing error: Error: cannot read /etc/ssl/private/dkim_server/dkim_server.key: Permission denied

dkimproxy runs as dkim user, member of both dkim and ssl-private groups. The key file is chmodded as follows

# l /etc/ssl/private/dkim_server/

drwxr-x---  2 dkim ssl-private 4096 12 dic  2009 ./
drwxr-x--- 10 root ssl-private 4096 11 apr 16.37 ../
-rw-r-----  1 dkim ssl-private  891 12 dic  2009 dkim_server.key
-rw-r-----  1 dkim ssl-private  272 12 dic  2009 dkim_server.pub

I also did as root sudo -u dkim cat /etc/ssl/private/dkim_server/dkim_server.key and it works.

I had the same problem yesterday but I simply forgot to add dkim to ssl-private group. After I fixed that I thought I was done

Now seems that dkimproxy is still unable to read the private key.

What could I do to fix this problem?

usr-local-ΕΨΗΕΛΩΝ
  • 2,359
  • 7
  • 34
  • 52

2 Answers2

2

It now works.

Edited /etc/init.d/dkimproxy

Changed

DKIMPROXYGROUP=ssl-private

and restarted...

usr-local-ΕΨΗΕΛΩΝ
  • 2,359
  • 7
  • 34
  • 52
0

The problem is that dkim user unable to access /etc/ssl/private directory, and possibly /etc/ssl Either add dkim user to ssl-private group or do chmod o+rx /etc/ssl /etc/ssl/private. However second choice is somewhat insecure.

DukeLion
  • 3,259
  • 1
  • 18
  • 19
  • dkim is already in the ssl-private group. Yesterday it wasn't because of my error, but now it is – usr-local-ΕΨΗΕΛΩΝ May 17 '12 at 13:13
  • Also I did some sudo -u dkim ls /etc... /etc/ssl... /etc/ssl/private etc. All directory listings appeared – usr-local-ΕΨΗΕΛΩΝ May 17 '12 at 13:15
  • 1
    did you restart it after modifying user? – DukeLion May 17 '12 at 13:20
  • I just restarted and made a new test (I already restarted several times during the past hours) but I found the guilty message a few lines above the tail of my logs – usr-local-ΕΨΗΕΛΩΝ May 17 '12 at 18:23
  • Another weird thing. I enabled /bin/bash as shell for dkim, then did "su dkim" to get full shell access. I could navigate to all directories I needed and even cat the private key file. AFAIK dkimproxy doesn't run in chroot, and, still AFAIK, if you run chrooted you either get a file not found error or read the file you want, you never get a permission denied error – usr-local-ΕΨΗΕΛΩΝ May 17 '12 at 18:27