search

StreisandEffect / streisand

Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
https://twitter.com/streisandvpn
Other
23.17k stars 1.99k forks source link

OpenConnect ca.crt generated with 0600 permissions, 403's on download. #1439

Open jsha opened 6 years ago

jsha commented 6 years ago

Expected behavior:

OpenConnect ca.crt can be downloaded by browser client.

Actual Behavior:

403 Forbidden when trying to download /openconnect/ca.crt. This was due to ca.crt having incorrect permissions (0600) on the filesystem.

Steps to Reproduce:

  1. Install streisand (I used the "localhost" method).
  2. Visit /openconnect/ on the server, find the "ca.crt" link and try to download it.

Ansible Information

Streisand Information

Enabled Roles

Here are the file permissions as generated:

# ls -l /var/www/streisand/openconnect
total 184
-rw------- 1 root root  2082 Sep  4 02:56 ca.crt
-rw------- 1 root root 11563 Sep  4 02:56 carry-normal.mobileconfig
-rw-r--r-- 1 root root  6110 Sep  4 02:56 carry-normal.p12
-rw-r--r-- 1 root root 22640 Sep  4 02:56 index-fr.html
-rw-r--r-- 1 root root 14385 Sep  4 02:56 index-fr.md
-rw-r--r-- 1 root root 20662 Sep  4 02:56 index.html
-rw-r--r-- 1 root root 12386 Sep  4 02:56 index.md
-rw------- 1 root root 11568 Sep  4 02:56 lyrics-olive.mobileconfig
-rw-r--r-- 1 root root  6110 Sep  4 02:56 lyrics-olive.p12
-rw------- 1 root root 11551 Sep  4 02:56 task-birth.mobileconfig
-rw-r--r-- 1 root root  6106 Sep  4 02:56 task-birth.p12
-rw------- 1 root root 11531 Sep  4 02:56 van-shove.mobileconfig
-rw-r--r-- 1 root root  6096 Sep  4 02:56 van-shove.p12
-rw------- 1 root root 11527 Sep  4 02:56 wolf-girl.mobileconfig
-rw-r--r-- 1 root root  6096 Sep  4 02:56 wolf-girl.p12

(:wave:)

jsha commented 6 years ago

Note: This also appears to be true of the ca.crt files for OpenVPN: /openvpn/<name>/ca.crt.

nopdotcom commented 5 years ago

That's weird. What's your umask?