freeipa/install/tools/ipa-httpd-pwdreader

#!/bin/bash
# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.
#
# If you'd like to write your custom binary providing passwords to mod_ssl,
# see the documentation of the aforementioned directive of the mod_ssl module.

USAGE="./ipa-pwdreader host:port RSA|DSA|ECC|number"

if [ "$#" -ne 2 ]; then
    echo "Wrong number of arguments!" 1>&2
    echo "$USAGE" 1>&2
    exit 1
fi

fname=${1/:/-}-$2
pwdpath=/var/lib/ipa/passwds/$fname

# Make sure the values passed in do not contain path information
checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)

if [ $pwdpath == "${checkpath}" ]; then
    cat $pwdpath
else
    echo "Invalid path ${pwdpath}" 1>&2
fi
Encrypt httpd key stored on disk This commit adds configuration for HTTPD to encrypt/decrypt its key which we currently store in clear on the disc. A password-reading script is added for mod_ssl. This script is extensible for the future use of directory server with the expectation that key encryption/decription will be handled similarly by its configuration. https://pagure.io/freeipa/issue/7421 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-02-26 03:15:05 -06:00			`#!/bin/bash`
			`# This program is a handler written for Apache mod_ssl's SSLPassPhraseDialog.`
			`#`
			`# If you'd like to write your custom binary providing passwords to mod_ssl,`
			`# see the documentation of the aforementioned directive of the mod_ssl module.`

			`USAGE="./ipa-pwdreader host:port RSA\|DSA\|ECC\|number"`

Try to resolve the name passed into the password reader to a file Rather than comparing the value passed in by Apache to a hostname value just see if there is a file of that name in /var/lib/ipa/passwds. Use realpath to see if path information was passed in as one of the options so that someone can't try to return random files from the filesystem. https://pagure.io/freeipa/issue/7528 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-19 07:35:57 -05:00			`if [ "$#" -ne 2 ]; then`
Encrypt httpd key stored on disk This commit adds configuration for HTTPD to encrypt/decrypt its key which we currently store in clear on the disc. A password-reading script is added for mod_ssl. This script is extensible for the future use of directory server with the expectation that key encryption/decription will be handled similarly by its configuration. https://pagure.io/freeipa/issue/7421 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-02-26 03:15:05 -06:00			`echo "Wrong number of arguments!" 1>&2`
			`echo "$USAGE" 1>&2`
			`exit 1`
			`fi`

Try to resolve the name passed into the password reader to a file Rather than comparing the value passed in by Apache to a hostname value just see if there is a file of that name in /var/lib/ipa/passwds. Use realpath to see if path information was passed in as one of the options so that someone can't try to return random files from the filesystem. https://pagure.io/freeipa/issue/7528 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-19 07:35:57 -05:00			`fname=${1/:/-}-$2`
			`pwdpath=/var/lib/ipa/passwds/$fname`
Encrypt httpd key stored on disk This commit adds configuration for HTTPD to encrypt/decrypt its key which we currently store in clear on the disc. A password-reading script is added for mod_ssl. This script is extensible for the future use of directory server with the expectation that key encryption/decription will be handled similarly by its configuration. https://pagure.io/freeipa/issue/7421 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 2018-02-26 03:15:05 -06:00
Try to resolve the name passed into the password reader to a file Rather than comparing the value passed in by Apache to a hostname value just see if there is a file of that name in /var/lib/ipa/passwds. Use realpath to see if path information was passed in as one of the options so that someone can't try to return random files from the filesystem. https://pagure.io/freeipa/issue/7528 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 2018-09-19 07:35:57 -05:00			`# Make sure the values passed in do not contain path information`
			`checkpath=$(/usr/bin/realpath -e ${pwdpath} 2>/dev/null)`

			`if [ $pwdpath == "${checkpath}" ]; then`
			`cat $pwdpath`
			`else`
			`echo "Invalid path ${pwdpath}" 1>&2`
			`fi`