Skip to content

Commit e990789

Browse files
committed
fix(package): allow openshell group to read client TLS key
The deb postinst installed the client mTLS key at /etc/openshell/gateways/default/mtls/tls.key as 0600 openshell:openshell, which made it unreadable to any human user. Group membership in 'openshell' had no effect because the group bits were ---. Switch the client key to 0640 so members of the openshell group can authenticate to the local gateway (matching the docker.sock 0660 root:docker pattern). The server-side key under /etc/openshell/gateway/ remains 0600 — only the gateway daemon needs it. Also extend install-dev.sh to print group-setup instructions and an admin-equivalence warning, mirroring how get.docker.com handles the docker group.
1 parent dc1ce0f commit e990789

2 files changed

Lines changed: 16 additions & 2 deletions

File tree

install-dev.sh

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -257,6 +257,20 @@ print_next_steps() {
257257

258258
info "the packaged gateway is registered as the system-wide default"
259259
info "check it with: openshell status"
260+
261+
_target_user="${SUDO_USER:-$USER}"
262+
if [ -n "$_target_user" ] && [ "$_target_user" != "root" ]; then
263+
if ! id -nG "$_target_user" 2>/dev/null | tr ' ' '\n' | grep -qx openshell; then
264+
info ""
265+
info "the gateway's mTLS client key is owned by the 'openshell' group"
266+
info "to run 'openshell status' as ${_target_user}, add yourself to the group:"
267+
info " sudo usermod -aG openshell ${_target_user}"
268+
info " newgrp openshell # or log out and back in"
269+
info ""
270+
info "WARNING: members of the 'openshell' group can authenticate to the"
271+
info "gateway as admin. Only add trusted users."
272+
fi
273+
fi
260274
}
261275

262276
# ---------------------------------------------------------------------------

tasks/scripts/package-deb.sh

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -328,7 +328,7 @@ EXT
328328
329329
install -o root -g root -m 0644 "$tmpdir/ca.crt" "$client_mtls_dir/ca.crt"
330330
install -o root -g root -m 0644 "$tmpdir/client.crt" "$client_mtls_dir/tls.crt"
331-
install -o openshell -g openshell -m 0600 "$tmpdir/client.key" "$client_mtls_dir/tls.key"
331+
install -o openshell -g openshell -m 0640 "$tmpdir/client.key" "$client_mtls_dir/tls.key"
332332
333333
rm -rf "$tmpdir"
334334
trap - EXIT HUP INT TERM
@@ -339,7 +339,7 @@ else
339339
chown root:root "$client_mtls_dir/ca.crt" "$client_mtls_dir/tls.crt"
340340
chmod 0644 "$client_mtls_dir/ca.crt" "$client_mtls_dir/tls.crt"
341341
chown openshell:openshell "$client_mtls_dir/tls.key"
342-
chmod 0600 "$client_mtls_dir/tls.key"
342+
chmod 0640 "$client_mtls_dir/tls.key"
343343
fi
344344
345345
if [ "$1" = "configure" ] && [ -d /run/systemd/system ]; then

0 commit comments

Comments
 (0)