install: fix KRA agent PEM file permissions

This fixes CVE-2015-5284.

https://fedorahosted.org/freeipa/ticket/5347

Reviewed-By: Martin Basti <mbasti@redhat.com>

install/restart_scripts/renew_ra_cert

@@ -63,13 +63,7 @@ def _main():
 
         kra = krainstance.KRAInstance(api.env.realm)
         if kra.is_installed():
-            # export ipaCert with private key for client authentication
-            args = ["/usr/bin/pki",
-                    "-d", paths.HTTPD_ALIAS_DIR,
-                    "-C", paths.ALIAS_PWDFILE_TXT,
-                    "client-cert-show", "ipaCert",
-                    "--client-cert", paths.KRA_AGENT_PEM]
-            ipautil.run(args)
+            krainstance.export_kra_agent_pem()
     finally:
         shutil.rmtree(tmpdir)
 

ipaserver/install/dogtaginstance.py

@@ -23,6 +23,7 @@ import shutil
 import tempfile
 import traceback
 import dbus
+import pwd
 
 from pki.client import PKIConnection
 import pki.system
@@ -88,6 +89,27 @@ def is_installing_replica(sys_type):
         return False
 
 
+def export_kra_agent_pem():
+    """
+    Export ipaCert with private key for client authentication.
+    """
+    fd, filename = tempfile.mkstemp(dir=paths.HTTPD_ALIAS_DIR)
+    os.close(fd)
+
+    args = ["/usr/bin/pki",
+            "-d", paths.HTTPD_ALIAS_DIR,
+            "-C", paths.ALIAS_PWDFILE_TXT,
+            "client-cert-show", "ipaCert",
+            "--client-cert", filename]
+    ipautil.run(args)
+
+    pent = pwd.getpwnam("apache")
+    os.chown(filename, 0, pent.pw_gid)
+    os.chmod(filename, 0o440)
+
+    os.rename(filename, paths.KRA_AGENT_PEM)
+
+
 class DogtagInstance(service.Service):
     """
     This is the base class for a Dogtag 10+ instance, which uses a

ipaserver/install/krainstance.py

@@ -38,8 +38,8 @@ from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
-from ipaserver.install.dogtaginstance import DogtagInstance
-from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
+from ipaserver.install.dogtaginstance import (
+    DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr
 
@@ -262,13 +262,7 @@ class KRAInstance(DogtagInstance):
 
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
 
-        # export ipaCert with private key for client authentication
-        args = ["/usr/bin/pki",
-            "-d", paths.HTTPD_ALIAS_DIR,
-            "-C", paths.ALIAS_PWDFILE_TXT,
-            "client-cert-show", "ipaCert",
-            "--client-cert", paths.KRA_AGENT_PEM]
-        ipautil.run(args)
+        export_kra_agent_pem()
 
         self.log.debug("completed creating KRA instance")
 

ipaserver/install/server/upgrade.py

@@ -38,6 +38,7 @@ from ipaserver.install import otpdinstance
 from ipaserver.install import schemaupdate
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
+from ipaserver.install import krainstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -1250,6 +1251,23 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
+def export_kra_agent_pem():
+    root_logger.info('[Exporting KRA agent PEM file]')
+
+    if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
+        root_logger.info("KRA agent PEM file already exported")
+        return
+
+    kra = krainstance.KRAInstance(api.env.realm)
+    if not kra.is_installed():
+        root_logger.info("KRA is not installed")
+        return
+
+    krainstance.export_kra_agent_pem()
+
+    sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
+
+
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
@@ -1452,6 +1470,7 @@ def upgrade_configuration():
     http.stop()
     update_mod_nss_protocol(http)
     fix_trust_flags()
+    export_kra_agent_pem()
     http.start()
 
     uninstall_selfsign(ds, http)