IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Ensure that public cert and CA bundle are readable

Browse Source 
In CIS hardened mode, the process umask is 027. This results in some
files not being world readable. Ensure that write_certificate_list()
calls in client installer, server installer, and upgrader create cert
bundles with permission bits 0644.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This commit is contained in:
Christian Heimes
2018-06-22 12:17:23 +02:00
committed by Tibor Dudlák
parent 0e21d93391
commit ba8cbb8c62
8 changed files with 21 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
ipaclient/install/client.py
View File

@@ -1879,7 +1879,7 @@ def get_ca_certs(fstore, options, server, basedn, realm):
if ca_certs is not None: if ca_certs is not None:
try: try:
x509.write_certificate_list(ca_certs, ca_file) x509.write_certificate_list(ca_certs, ca_file, mode=0o644)
except Exception as e: except Exception as e:
if os.path.exists(ca_file): if os.path.exists(ca_file):
try: try:
@@ -2874,10 +2874,14 @@ def _install(options):
x509.write_certificate_list( x509.write_certificate_list(
[c for c, n, t, u in ca_certs if t is not False], [c for c, n, t, u in ca_certs if t is not False],
paths.KDC_CA_BUNDLE_PEM) paths.KDC_CA_BUNDLE_PEM,
mode=0o644
)
x509.write_certificate_list( x509.write_certificate_list(
[c for c, n, t, u in ca_certs if t is not False], [c for c, n, t, u in ca_certs if t is not False],
paths.CA_BUNDLE_PEM) paths.CA_BUNDLE_PEM,
mode=0o644
)
# Add the CA certificates to the IPA NSS database # Add the CA certificates to the IPA NSS database
logger.debug("Adding CA certificates to the IPA NSS database.") logger.debug("Adding CA certificates to the IPA NSS database.")

4
ipaclient/install/ipa_certupdate.py
View File

@@ -186,10 +186,10 @@ def update_server(certs):
update_file(paths.CACERT_PEM, certs) update_file(paths.CACERT_PEM, certs)
def update_file(filename, certs, mode=0o444): def update_file(filename, certs, mode=0o644):
certs = (c[0] for c in certs if c[2] is not False) certs = (c[0] for c in certs if c[2] is not False)
try: try:
x509.write_certificate_list(certs, filename) x509.write_certificate_list(certs, filename, mode=mode)
except Exception as e: except Exception as e:
logger.error("failed to update %s: %s", filename, e) logger.error("failed to update %s: %s", filename, e)

4
ipalib/x509.py
View File

@@ -553,7 +553,7 @@ def write_certificate(cert, filename):
raise errors.FileError(reason=str(e)) raise errors.FileError(reason=str(e))
def write_certificate_list(certs, filename): def write_certificate_list(certs, filename, mode=None):
""" """
Write a list of certificates to a file in PEM format. Write a list of certificates to a file in PEM format.
@@ -563,6 +563,8 @@ def write_certificate_list(certs, filename):
try: try:
with open(filename, 'wb') as f: with open(filename, 'wb') as f:
if mode is not None:
os.fchmod(f.fileno(), mode)
for cert in certs: for cert in certs:
f.write(cert.public_bytes(Encoding.PEM)) f.write(cert.public_bytes(Encoding.PEM))
except (IOError, OSError) as e: except (IOError, OSError) as e:

2
ipaserver/install/cainstance.py
View File

@@ -849,7 +849,7 @@ class CAInstance(DogtagInstance):
for path in [paths.IPA_CA_CRT, for path in [paths.IPA_CA_CRT,
paths.KDC_CA_BUNDLE_PEM, paths.KDC_CA_BUNDLE_PEM,
paths.CA_BUNDLE_PEM]: paths.CA_BUNDLE_PEM]:
x509.write_certificate_list(certlist, path) x509.write_certificate_list(certlist, path, mode=0o644)
def __request_ra_certificate(self): def __request_ra_certificate(self):
""" """

2
ipaserver/install/httpinstance.py
View File

@@ -432,7 +432,7 @@ class HTTPInstance(service.Service):
raise RuntimeError("HTTPD cert was issued by an unknown CA.") raise RuntimeError("HTTPD cert was issued by an unknown CA.")
# at this time we can assume any CA cert will be valid since this is # at this time we can assume any CA cert will be valid since this is
# only run during installation # only run during installation
x509.write_certificate_list(certlist, paths.CA_CRT) x509.write_certificate_list(certlist, paths.CA_CRT, mode=0o644)
def is_kdcproxy_configured(self): def is_kdcproxy_configured(self):
"""Check if KDC proxy has already been configured in the past""" """Check if KDC proxy has already been configured in the past"""

6
ipaserver/install/installutils.py
View File

@@ -1104,7 +1104,11 @@ def load_external_cert(files, ca_subject):
cert_file.flush() cert_file.flush()
ca_file = tempfile.NamedTemporaryFile() ca_file = tempfile.NamedTemporaryFile()
x509.write_certificate_list(ca_cert_chain[1:], ca_file.name) x509.write_certificate_list(
ca_cert_chain[1:],
ca_file.name,
mode=0o644
)
ca_file.flush() ca_file.flush()
return cert_file, ca_file return cert_file, ca_file

2
ipaserver/install/krbinstance.py
View File

@@ -505,7 +505,7 @@ class KrbInstance(service.Service):
self.api.env.realm, self.api.env.realm,
False) False)
ca_certs = [c for c, _n, t, _u in ca_certs if t is not False] ca_certs = [c for c, _n, t, _u in ca_certs if t is not False]
x509.write_certificate_list(ca_certs, paths.CACERT_PEM) x509.write_certificate_list(ca_certs, paths.CACERT_PEM, mode=0o644)
def issue_selfsigned_pkinit_certs(self): def issue_selfsigned_pkinit_certs(self):
self._call_certmonger(certmonger_ca="SelfSign") self._call_certmonger(certmonger_ca="SelfSign")

2
ipaserver/install/server/replicainstall.py
View File

@@ -145,7 +145,7 @@ def install_ca_cert(ldap, base_dn, realm, cafile, destfile=paths.IPA_CA_CRT):
pass pass
else: else:
certs = [c[0] for c in certs if c[2] is not False] certs = [c[0] for c in certs if c[2] is not False]
x509.write_certificate_list(certs, destfile) x509.write_certificate_list(certs, destfile, mode=0o644)
except Exception as e: except Exception as e:
raise ScriptError("error copying files: " + str(e)) raise ScriptError("error copying files: " + str(e))
return destfile return destfile