diff options
| author | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-02-12 18:35:32 +0000 |
|---|---|---|
| committer | mharmsen <mharmsen@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2009-02-12 18:35:32 +0000 |
| commit | 7afb54c93ae56ea4bf09fc5012045b4e7c19a9ec (patch) | |
| tree | 5dafd62821ed01a6d5540b5b9b02f3f19677f7a7 /pki/base/ra/lib | |
| parent | 7315a95377ee364d8f14c68ef4a469fc7dae743d (diff) | |
| download | pki-7afb54c93ae56ea4bf09fc5012045b4e7c19a9ec.tar.gz pki-7afb54c93ae56ea4bf09fc5012045b4e7c19a9ec.tar.xz pki-7afb54c93ae56ea4bf09fc5012045b4e7c19a9ec.zip | |
Bugzilla Bug #467155 - Change "renameTo" to "cp -p ".
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@225 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ra/lib')
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm | 1 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/Config.pm | 12 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/DonePanel.pm | 11 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/Login.pm | 31 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/NamePanel.pm | 10 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm | 1 | ||||
| -rwxr-xr-x | pki/base/ra/lib/perl/PKI/RA/wizard.pm | 29 |
7 files changed, 81 insertions, 14 deletions
diff --git a/pki/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm b/pki/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm index 63e57c4fa..ab58610ec 100755 --- a/pki/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/CertRequestPanel.pm @@ -100,6 +100,7 @@ sub update my $token_pwd = $::pwdconf->get($tokenname); $token_pwd =~ s/\n//g; open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); print FILE $token_pwd; close FILE; diff --git a/pki/base/ra/lib/perl/PKI/RA/Config.pm b/pki/base/ra/lib/perl/PKI/RA/Config.pm index 317b9d91a..6dab970bd 100755 --- a/pki/base/ra/lib/perl/PKI/RA/Config.pm +++ b/pki/base/ra/lib/perl/PKI/RA/Config.pm @@ -104,10 +104,14 @@ sub commit my $suffix = time(); if (-e $self->{filename}) { - system("mv \"" . $self->{filename} . "\" \"" . + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . $self->{filename} . "." . $suffix . "\""); } + # Overwrite the contents of the original file + # to preserve the original file permissions open(F, ">" . $self->{filename}); foreach my $k (sort keys %{$hash}) { print F "$k=$self->{hash}{$k}\n"; @@ -127,9 +131,13 @@ sub commit_with_backup # print $self->{filename} . "\n"; my $hash = $self->{hash}; my $suffix = time(); - system("mv \"" . $self->{filename} . "\" \"" . + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . $self->{filename} . "." . $suffix . "\""); + # Overwrite the contents of the original file + # to preserve the original file permissions open(F, ">" . $self->{filename}); foreach my $k (sort keys %{$hash}) { print F "$k=$self->{hash}{$k}\n"; diff --git a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm index 3e8b02f1a..b44f9db89 100755 --- a/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/DonePanel.pm @@ -117,6 +117,7 @@ sub register_ra my $token_pwd = $::pwdconf->get($tokenname); open FILE, ">$instDir/conf/.pwfile"; + system( "chmod 00660 $instDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; @@ -300,6 +301,7 @@ sub display # update nss.conf open(TMP_NSS_CONF, ">$instDir/conf/nss.conf.tmp"); + system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while (<NSS_CONF>) { if (/NSSVerifyClient none/) { @@ -315,7 +317,14 @@ sub display close(NSS_CONF); close(TMP_NSS_CONF); - system("mv $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf"); + # Create a copy of the original file which + # preserves the original file permissions + system( "cp -p $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf" ); + + # Remove the original file only if the backup copy was successful + if( -e "$instDir/conf/nss.conf" ) { + system( "rm $instDir/conf/nss.conf.tmp" ); + } &PKI::RA::Wizard::debug_log("DonePanel: Connecting to Security Domain"); diff --git a/pki/base/ra/lib/perl/PKI/RA/Login.pm b/pki/base/ra/lib/perl/PKI/RA/Login.pm index 0eab829cd..250b278be 100755 --- a/pki/base/ra/lib/perl/PKI/RA/Login.pm +++ b/pki/base/ra/lib/perl/PKI/RA/Login.pm @@ -102,6 +102,9 @@ $config->load_file("$pkiroot/conf/CS.cfg"); # read password cache file my $pwdconf = PKI::RA::Config->new(); $pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +if( -e "$pkiroot/conf/pwcache.conf" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} # create cfg debug log open(DEBUG, ">>" . $config->get("service.instanceDir") . @@ -231,7 +234,10 @@ sub render_panel # fill in variables for new panel if ($currentpanel->{panelvars}) { $Data::Dumper::Indent = 1; - &debug_log("q=".Dumper($q)); + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); $currentpanel->{panelvars}($q); } @@ -290,10 +296,10 @@ sub handler { my $q = new CGI; # check cookie - my $pin = $q->param('pin'); + my $pin = $q->param('__pin'); if (defined($pin)) { my $cookie = $q->cookie( - -name=>'pin', + -name=>'__pin', -value=> $pin, -expires=>'+1y', -path=>'/'); @@ -305,7 +311,24 @@ sub handler { &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'"); my @pnames = $q->param(); foreach $pn (@pnames) { - if ($pn =~ /^__/) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'"); } else { &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); diff --git a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm index 326db2dd5..0a67dc213 100755 --- a/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm +++ b/pki/base/ra/lib/perl/PKI/RA/NamePanel.pm @@ -151,6 +151,7 @@ sub update my $token_pwd = $::pwdconf->get($tokenname); &PKI::RA::Wizard::debug_log("NamePanel: creating pwfile"); open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; @@ -188,6 +189,7 @@ sub update &PKI::RA::Wizard::debug_log("NamePanel: update got key type $keytype"); my $req; + my $debug_req; my $filename = "/tmp/random.$$"; `dd if\=/dev/urandom of\=\"$filename\" count\=256 bs\=1`; if ($keytype eq "rsa") { @@ -286,14 +288,14 @@ GEN_CERT: } if ($changed eq "true") { $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; } else { $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; } - &PKI::RA::Wizard::debug_log("req = " . $req); - system("$req > $tmpfile"); - my $content = `cat $tmpfile`; - system("rm $tmpfile"); + &PKI::RA::Wizard::debug_log("debug_req = " . $debug_req); + my $content = `$req`; &PKI::RA::Wizard::debug_log("content = " . $content); $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; diff --git a/pki/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm b/pki/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm index c752d6a48..75fba5c42 100755 --- a/pki/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm +++ b/pki/base/ra/lib/perl/PKI/RA/ReqCertInfo.pm @@ -157,6 +157,7 @@ sub get_cert_pp my $token_pwd = $::pwdconf->get($tokenname); open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; diff --git a/pki/base/ra/lib/perl/PKI/RA/wizard.pm b/pki/base/ra/lib/perl/PKI/RA/wizard.pm index c17143ce0..f7d87223a 100755 --- a/pki/base/ra/lib/perl/PKI/RA/wizard.pm +++ b/pki/base/ra/lib/perl/PKI/RA/wizard.pm @@ -99,6 +99,9 @@ $config->load_file("$pkiroot/conf/CS.cfg"); # read password cache file my $pwdconf = PKI::RA::Config->new(); $pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +if( -e "$pkiroot/conf/pwcache.conf" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} # create cfg debug log my $logfile = $config->get("service.instanceDir") . "/logs/debug"; @@ -260,7 +263,10 @@ sub render_panel # fill in variables for new panel if ($currentpanel->{panelvars}) { $Data::Dumper::Indent = 1; - &debug_log("q=".Dumper($q)); + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); $currentpanel->{panelvars}($q); } @@ -317,7 +323,7 @@ sub handler { my $q = new CGI; # check cookie - my $cookie = $q->cookie('pin'); + my $cookie = $q->cookie('__pin'); my $pin = $::config->get("preop.pin"); if ($cookie ne $pin) { print $q->redirect("login"); @@ -328,7 +334,24 @@ sub handler { &debug_log("RA wizard: uri='" . $ENV{REQUEST_URI} . "'"); my @pnames = $q->param(); foreach $pn (@pnames) { - if ($pn =~ /^__/) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { &debug_log("RA wizard: http parameter name='" . $pn . "' value='(sensitive)'"); } else { &debug_log("RA wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); |