In regenerating a potentially compromised SSL/TLS certificate (result of the recent Debian openssl issue) I discovered what appears to be a critical issue with VirtualMin's SSL Certificate Management.
I didn't notice it originally since I generated the CSR and installed the resulting key and certificate manually in a sub-directory of the home. I installed the 'real' certificate files in ~/certificates/
In checking the installed certificate prior to replacement I noticed the files:
rwxr-xr-x ssl.cert
rwxr-xr-x ssl.key
in the home directory. I checked them and realised they were for the original default self-signed certificate created when the SSL site was created by VirtualMin, and reported by VirtualMin via 'Server Configuration > Manage SSL Certificate > Current Certificate'.
I copied the 'real' files over these and corrected the paths set in 'Services > Configure Website for SSL > SSL Options > Certificate/private key file' so the files in use were the ones in the home directory.
Via VirtuaMin's 'Server Configuration > Manage SSL Certificate > Signing Request' I created a new CSR and submitted it to the CA and then installed the resulting certificate the same way by pasting the issued PEM certificate text via 'New Certificate'.
On checking the home directory I noticed the permissions on the CSR and the private key file are set:
-rwxr-xr-x ssl.csr
-rwxr-xr-x ssl.key
-rwxr-xr-x ssl.cert
Being executable is strange but not a problem, but what is worrying is the private key and CSR being readable by everyone.
On a shared server this would potentially allow unauthorised access to and copying of the private key, resulting in a silently compromised site with no indications of such.
Granted this would require the permissions of the home directories to allow non-user/group access but I seem to recall when originally installing Webmin/Virtualmin that I had to tighten the default home directory permissions to prevent 'everyone' access.
With that in mind it would be preferable that the permissions on the CSR and private key were as tight as possible.