Commit e990789
committed
fix(package): allow openshell group to read client TLS key
The deb postinst installed the client mTLS key at
/etc/openshell/gateways/default/mtls/tls.key as 0600 openshell:openshell,
which made it unreadable to any human user. Group membership in
'openshell' had no effect because the group bits were ---.
Switch the client key to 0640 so members of the openshell group can
authenticate to the local gateway (matching the docker.sock 0660
root:docker pattern). The server-side key under /etc/openshell/gateway/
remains 0600 — only the gateway daemon needs it.
Also extend install-dev.sh to print group-setup instructions and an
admin-equivalence warning, mirroring how get.docker.com handles the
docker group.1 parent dc1ce0f commit e990789
2 files changed
Lines changed: 16 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
257 | 257 | | |
258 | 258 | | |
259 | 259 | | |
| 260 | + | |
| 261 | + | |
| 262 | + | |
| 263 | + | |
| 264 | + | |
| 265 | + | |
| 266 | + | |
| 267 | + | |
| 268 | + | |
| 269 | + | |
| 270 | + | |
| 271 | + | |
| 272 | + | |
| 273 | + | |
260 | 274 | | |
261 | 275 | | |
262 | 276 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
328 | 328 | | |
329 | 329 | | |
330 | 330 | | |
331 | | - | |
| 331 | + | |
332 | 332 | | |
333 | 333 | | |
334 | 334 | | |
| |||
339 | 339 | | |
340 | 340 | | |
341 | 341 | | |
342 | | - | |
| 342 | + | |
343 | 343 | | |
344 | 344 | | |
345 | 345 | | |
| |||
0 commit comments