From 9911914e7024225a6524b96f5a9f10234613aa02 Mon Sep 17 00:00:00 2001
From: Devaev Maxim <mdevaev@gmail.com>
Date: Mon, 15 Feb 2021 04:56:06 +0300
Subject: [PATCH] fixed cert perms

---
 kvmd.install         | 10 ++++++----
 scripts/kvmd-gencert |  2 +-
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/kvmd.install b/kvmd.install
index db2cb3a3..ae2297d4 100644
--- a/kvmd.install
+++ b/kvmd.install
@@ -24,10 +24,12 @@ post_upgrade() {
 		kvmd-gencert --do-the-thing --vnc
 	fi
 
-	chown root:root /etc/kvmd/vnc/ssl
-	chown root:root /etc/kvmd/nginx/ssl
-	chmod 755 /etc/kvmd/vnc/ssl
-	chmod 755 /etc/kvmd/nginx/ssl
+	for target in nginx vnc; do
+		chown root:root /etc/kvmd/$target/ssl
+		chown root:kvmd-$target /etc/kvmd/$target/ssl/*
+		chmod 440 /etc/kvmd/$target/ssl/server.key
+		chmod 444 /etc/kvmd/$target/ssl/server.crt
+	done
 
 	echo "==> Patching configs ..."
 	[ ! -f /boot/config.txt ] || sed -i -e 's/^dtoverlay=pi3-disable-bt$/dtoverlay=disable-bt/g' /boot/config.txt
diff --git a/scripts/kvmd-gencert b/scripts/kvmd-gencert
index f96f0c8f..1e635b3e 100755
--- a/scripts/kvmd-gencert
+++ b/scripts/kvmd-gencert
@@ -58,6 +58,6 @@ openssl req -new -x509 -sha256 -nodes -key server.key -out server.crt -days 3650
 	-subj "/C=RU/ST=Moscow/L=Moscow/O=Pi-KVM/OU=Pi-KVM/CN=localhost"
 
 chown root:kvmd-$target /etc/kvmd/$target/ssl/*
-chmod 400 server.key
+chmod 440 server.key
 chmod 444 server.crt
 chmod 755 /etc/kvmd/$target/ssl