IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Secure permissions of Custodia server.keys

Browse Source 
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

Reviewed-By: Martin Basti <mbasti@redhat.com>
This commit is contained in:
Christian Heimes 2016-08-08 15:05:52 +02:00 committed by Martin Basti
parent 9021b64966
commit d9ab0097e1
2 changed files with 9 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ipapython/secrets/kem.py
View File

@ -1,6 +1,7 @@
# Copyright (C) 2015 IPA Project Contributors, see COPYING for license
from __future__ import print_function
import os
from ipaplatform.paths import paths
from six.moves.configparser import ConfigParser
from ipapython.dn import DN
@ -143,7 +144,9 @@ class KEMLdap(iSecLdap):
def newServerKeys(path, keyid):
skey = JWK(generate='RSA', use='sig', kid=keyid)
ekey = JWK(generate='RSA', use='enc', kid=keyid)
with open(path, 'w+') as f:
with open(path, 'w') as f:
os.fchmod(f.fileno(), 0o600)
os.fchown(f.fileno(), 0, 0)
f.write('[%s,%s]' % (skey.export(), ekey.export()))
return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')]

5
ipaserver/install/custodiainstance.py
View File

@ -15,6 +15,7 @@ from jwcrypto.common import json_decode
import functools
import shutil
import os
import stat
import tempfile
import pwd
@ -73,6 +74,10 @@ class CustodiaInstance(SimpleServiceInstance):
if not sysupgrade.get_upgrade_state("custodia", "installed"):
root_logger.info("Custodia service is being configured")
self.create_instance()
mode = os.stat(self.server_keys).st_mode
if stat.S_IMODE(mode) != 0o600:
root_logger.info("Secure server.keys mode")
os.chmod(self.server_keys, 0o600)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)