mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2025-02-25 18:55:28 -06:00
install: fix KRA agent PEM file permissions
This fixes CVE-2015-5284. https://fedorahosted.org/freeipa/ticket/5347 Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Jan Cholasta
parent
0b797da560
commit
110e85cc74
@ -63,13 +63,7 @@ def _main():
|
|||||||
|
|
||||||
kra = krainstance.KRAInstance(api.env.realm)
|
kra = krainstance.KRAInstance(api.env.realm)
|
||||||
if kra.is_installed():
|
if kra.is_installed():
|
||||||
# export ipaCert with private key for client authentication
|
krainstance.export_kra_agent_pem()
|
||||||
args = ["/usr/bin/pki",
|
|
||||||
"-d", paths.HTTPD_ALIAS_DIR,
|
|
||||||
"-C", paths.ALIAS_PWDFILE_TXT,
|
|
||||||
"client-cert-show", "ipaCert",
|
|
||||||
"--client-cert", paths.KRA_AGENT_PEM]
|
|
||||||
ipautil.run(args)
|
|
||||||
finally:
|
finally:
|
||||||
shutil.rmtree(tmpdir)
|
shutil.rmtree(tmpdir)
|
||||||
|
|
||||||
|
|||||||
@ -23,6 +23,7 @@ import shutil
|
|||||||
import tempfile
|
import tempfile
|
||||||
import traceback
|
import traceback
|
||||||
import dbus
|
import dbus
|
||||||
|
import pwd
|
||||||
|
|
||||||
from pki.client import PKIConnection
|
from pki.client import PKIConnection
|
||||||
import pki.system
|
import pki.system
|
||||||
@ -88,6 +89,27 @@ def is_installing_replica(sys_type):
|
|||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def export_kra_agent_pem():
|
||||||
|
"""
|
||||||
|
Export ipaCert with private key for client authentication.
|
||||||
|
"""
|
||||||
|
fd, filename = tempfile.mkstemp(dir=paths.HTTPD_ALIAS_DIR)
|
||||||
|
os.close(fd)
|
||||||
|
|
||||||
|
args = ["/usr/bin/pki",
|
||||||
|
"-d", paths.HTTPD_ALIAS_DIR,
|
||||||
|
"-C", paths.ALIAS_PWDFILE_TXT,
|
||||||
|
"client-cert-show", "ipaCert",
|
||||||
|
"--client-cert", filename]
|
||||||
|
ipautil.run(args)
|
||||||
|
|
||||||
|
pent = pwd.getpwnam("apache")
|
||||||
|
os.chown(filename, 0, pent.pw_gid)
|
||||||
|
os.chmod(filename, 0o440)
|
||||||
|
|
||||||
|
os.rename(filename, paths.KRA_AGENT_PEM)
|
||||||
|
|
||||||
|
|
||||||
class DogtagInstance(service.Service):
|
class DogtagInstance(service.Service):
|
||||||
"""
|
"""
|
||||||
This is the base class for a Dogtag 10+ instance, which uses a
|
This is the base class for a Dogtag 10+ instance, which uses a
|
||||||
|
|||||||
@ -38,8 +38,8 @@ from ipaserver.install import cainstance
|
|||||||
from ipaserver.install import installutils
|
from ipaserver.install import installutils
|
||||||
from ipaserver.install import ldapupdate
|
from ipaserver.install import ldapupdate
|
||||||
from ipaserver.install import service
|
from ipaserver.install import service
|
||||||
from ipaserver.install.dogtaginstance import DogtagInstance
|
from ipaserver.install.dogtaginstance import (
|
||||||
from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
|
DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
|
||||||
from ipaserver.plugins import ldap2
|
from ipaserver.plugins import ldap2
|
||||||
from ipapython.ipa_log_manager import log_mgr
|
from ipapython.ipa_log_manager import log_mgr
|
||||||
|
|
||||||
@ -262,13 +262,7 @@ class KRAInstance(DogtagInstance):
|
|||||||
|
|
||||||
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
|
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
|
||||||
|
|
||||||
# export ipaCert with private key for client authentication
|
export_kra_agent_pem()
|
||||||
args = ["/usr/bin/pki",
|
|
||||||
"-d", paths.HTTPD_ALIAS_DIR,
|
|
||||||
"-C", paths.ALIAS_PWDFILE_TXT,
|
|
||||||
"client-cert-show", "ipaCert",
|
|
||||||
"--client-cert", paths.KRA_AGENT_PEM]
|
|
||||||
ipautil.run(args)
|
|
||||||
|
|
||||||
self.log.debug("completed creating KRA instance")
|
self.log.debug("completed creating KRA instance")
|
||||||
|
|
||||||
|
|||||||
@ -38,6 +38,7 @@ from ipaserver.install import otpdinstance
|
|||||||
from ipaserver.install import schemaupdate
|
from ipaserver.install import schemaupdate
|
||||||
from ipaserver.install import sysupgrade
|
from ipaserver.install import sysupgrade
|
||||||
from ipaserver.install import dnskeysyncinstance
|
from ipaserver.install import dnskeysyncinstance
|
||||||
|
from ipaserver.install import krainstance
|
||||||
from ipaserver.install.upgradeinstance import IPAUpgrade
|
from ipaserver.install.upgradeinstance import IPAUpgrade
|
||||||
from ipaserver.install.ldapupdate import BadSyntax
|
from ipaserver.install.ldapupdate import BadSyntax
|
||||||
|
|
||||||
@ -1250,6 +1251,23 @@ def fix_trust_flags():
|
|||||||
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
|
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
|
||||||
|
|
||||||
|
|
||||||
|
def export_kra_agent_pem():
|
||||||
|
root_logger.info('[Exporting KRA agent PEM file]')
|
||||||
|
|
||||||
|
if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
|
||||||
|
root_logger.info("KRA agent PEM file already exported")
|
||||||
|
return
|
||||||
|
|
||||||
|
kra = krainstance.KRAInstance(api.env.realm)
|
||||||
|
if not kra.is_installed():
|
||||||
|
root_logger.info("KRA is not installed")
|
||||||
|
return
|
||||||
|
|
||||||
|
krainstance.export_kra_agent_pem()
|
||||||
|
|
||||||
|
sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
|
||||||
|
|
||||||
|
|
||||||
def update_mod_nss_protocol(http):
|
def update_mod_nss_protocol(http):
|
||||||
root_logger.info('[Updating mod_nss protocol versions]')
|
root_logger.info('[Updating mod_nss protocol versions]')
|
||||||
|
|
||||||
@ -1452,6 +1470,7 @@ def upgrade_configuration():
|
|||||||
http.stop()
|
http.stop()
|
||||||
update_mod_nss_protocol(http)
|
update_mod_nss_protocol(http)
|
||||||
fix_trust_flags()
|
fix_trust_flags()
|
||||||
|
export_kra_agent_pem()
|
||||||
http.start()
|
http.start()
|
||||||
|
|
||||||
uninstall_selfsign(ds, http)
|
uninstall_selfsign(ds, http)
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user