diff options
Diffstat (limited to 'pki/base/tps/lib')
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm | 1 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/Config.pm | 12 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm | 11 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/Login.pm | 31 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm | 10 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm | 1 | ||||
| -rwxr-xr-x | pki/base/tps/lib/perl/PKI/TPS/wizard.pm | 35 |
7 files changed, 85 insertions, 16 deletions
diff --git a/pki/base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm b/pki/base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm index 0ce493496..156c0d0ab 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/CertRequestPanel.pm @@ -99,6 +99,7 @@ sub update my $token_pwd = $::pwdconf->get($tokenname); $token_pwd =~ s/\n//g; open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); print FILE $token_pwd; close FILE; diff --git a/pki/base/tps/lib/perl/PKI/TPS/Config.pm b/pki/base/tps/lib/perl/PKI/TPS/Config.pm index c6cce70fd..9972660e9 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/Config.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/Config.pm @@ -103,10 +103,14 @@ sub commit my $suffix = time(); if (-e $self->{filename}) { - system("mv \"" . $self->{filename} . "\" \"" . + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . $self->{filename} . "." . $suffix . "\""); } + # Overwrite the contents of the original file + # to preserve the original file permissions open(F, ">" . $self->{filename}); foreach my $k (sort keys %{$hash}) { print F "$k=$self->{hash}{$k}\n"; @@ -126,9 +130,13 @@ sub commit_with_backup # print $self->{filename} . "\n"; my $hash = $self->{hash}; my $suffix = time(); - system("mv \"" . $self->{filename} . "\" \"" . + # Create a copy of the original file which + # preserves the original file permissions + system("cp -p \"" . $self->{filename} . "\" \"" . $self->{filename} . "." . $suffix . "\""); + # Overwrite the contents of the original file + # to preserve the original file permissions open(F, ">" . $self->{filename}); foreach my $k (sort keys %{$hash}) { print F "$k=$self->{hash}{$k}\n"; diff --git a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm index 1f5b1a4d5..677ae3cd4 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/DonePanel.pm @@ -116,6 +116,7 @@ sub register_tps my $token_pwd = $::pwdconf->get($tokenname); open FILE, ">$instDir/conf/.pwfile"; + system( "chmod 00660 $instDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; @@ -312,6 +313,7 @@ sub display # update nss.conf open(TMP_NSS_CONF, ">$instDir/conf/nss.conf.tmp"); + system( "chmod 00660 $instDir/conf/nss.conf.tmp" ); open(NSS_CONF, "<$instDir/conf/nss.conf"); while (<NSS_CONF>) { if (/NSSVerifyClient none/) { @@ -327,7 +329,14 @@ sub display close(NSS_CONF); close(TMP_NSS_CONF); - system("mv $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf"); + # Create a copy of the original file which + # preserves the original file permissions + system( "cp -p $instDir/conf/nss.conf.tmp $instDir/conf/nss.conf" ); + + # Remove the original file only if the backup copy was successful + if( -e "$instDir/conf/nss.conf" ) { + system( "rm $instDir/conf/nss.conf.tmp" ); + } &PKI::TPS::Wizard::debug_log("DonePanel: Connecting to Security Domain"); diff --git a/pki/base/tps/lib/perl/PKI/TPS/Login.pm b/pki/base/tps/lib/perl/PKI/TPS/Login.pm index 22809a022..7a8fd817a 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/Login.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/Login.pm @@ -101,6 +101,9 @@ $config->load_file("$pkiroot/conf/CS.cfg"); # read password cache file my $pwdconf = PKI::TPS::Config->new(); $pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +if( -e "$pkiroot/conf/pwcache.conf" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} # create cfg debug log open(DEBUG, ">>" . $config->get("service.instanceDir") . @@ -230,7 +233,10 @@ sub render_panel # fill in variables for new panel if ($currentpanel->{panelvars}) { $Data::Dumper::Indent = 1; - &debug_log("q=".Dumper($q)); + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); $currentpanel->{panelvars}($q); } @@ -289,10 +295,10 @@ sub handler { my $q = new CGI; # check cookie - my $pin = $q->param('pin'); + my $pin = $q->param('__pin'); if (defined($pin)) { my $cookie = $q->cookie( - -name=>'pin', + -name=>'__pin', -value=> $pin, -expires=>'+1y', -path=>'/'); @@ -304,7 +310,24 @@ sub handler { &debug_log("TPS wizard: uri='" . $ENV{REQUEST_URI} . "'"); my @pnames = $q->param(); foreach $pn (@pnames) { - if ($pn =~ /^__/) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { &debug_log("TPS wizard: http parameter name='" . $pn . "' value='(sensitive)'"); } else { &debug_log("TPS wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); diff --git a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm index 8ac588bfd..21ef98a4a 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/NamePanel.pm @@ -150,6 +150,7 @@ sub update my $token_pwd = $::pwdconf->get($tokenname); &PKI::TPS::Wizard::debug_log("NamePanel: creating pwfile"); open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; @@ -187,6 +188,7 @@ sub update &PKI::TPS::Wizard::debug_log("NamePanel: update got key type $keytype"); my $req; + my $debug_req; my $filename = "/tmp/random.$$"; `dd if\=/dev/urandom of\=\"$filename\" count\=256 bs\=1`; if ($keytype eq "rsa") { @@ -285,14 +287,14 @@ GEN_CERT: } if ($changed eq "true") { $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$token_pwd\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; } else { $req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"$db_password\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; +$debug_req = "/usr/bin/sslget -e \"$params\" -d \"$instanceDir/alias\" -p \"(sensitive)\" -v -n \"$sslnickname\" -r \"/ca/ee/ca/profileSubmit\" $host:$port"; } - &PKI::TPS::Wizard::debug_log("req = " . $req); - system("$req > $tmpfile"); - my $content = `cat $tmpfile`; - system("rm $tmpfile"); + &PKI::TPS::Wizard::debug_log("debug_req = " . $debug_req); + my $content = `$req`; &PKI::TPS::Wizard::debug_log("content = " . $content); $content =~ /(\<XMLResponse\>.*\<\/XMLResponse\>)/; diff --git a/pki/base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm b/pki/base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm index 100962465..c96609d23 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/ReqCertInfo.pm @@ -156,6 +156,7 @@ sub get_cert_pp my $token_pwd = $::pwdconf->get($tokenname); open FILE, ">$instanceDir/conf/.pwfile"; + system( "chmod 00660 $instanceDir/conf/.pwfile" ); $token_pwd =~ s/\n//g; print FILE $token_pwd; close FILE; diff --git a/pki/base/tps/lib/perl/PKI/TPS/wizard.pm b/pki/base/tps/lib/perl/PKI/TPS/wizard.pm index 075893da2..1dc27b0d5 100755 --- a/pki/base/tps/lib/perl/PKI/TPS/wizard.pm +++ b/pki/base/tps/lib/perl/PKI/TPS/wizard.pm @@ -100,10 +100,15 @@ $config->load_file("$pkiroot/conf/CS.cfg"); # read password cache file my $pwdconf = PKI::TPS::Config->new(); $pwdconf->load_file("$pkiroot/conf/pwcache.conf"); +if( -e "$pkiroot/conf/pwcache.conf" ) { + system( "chmod 00660 $pkiroot/conf/pwcache.conf" ); +} # create cfg debug log -open(DEBUG, ">>" . $config->get("service.instanceDir") . - "/logs/debug"); +my $logfile = $config->get("service.instanceDir") . "/logs/debug"; +system( "touch $logfile" ); +system( "chmod 00660 $logfile" ); +open(DEBUG, ">>" . $logfile); # apache server @@ -263,7 +268,10 @@ sub render_panel # fill in variables for new panel if ($currentpanel->{panelvars}) { $Data::Dumper::Indent = 1; - &debug_log("q=".Dumper($q)); + # The '&debug_log("q=".Dumper($q));' call must be commented out to fix + # Bugzilla Bug #249923: Incorrect file permissions on + # various files and/or directories + # &debug_log("q=".Dumper($q)); $currentpanel->{panelvars}($q); } @@ -323,7 +331,7 @@ sub handler { my $q = new CGI; # check cookie - my $cookie = $q->cookie('pin'); + my $cookie = $q->cookie('__pin'); my $pin = $::config->get("preop.pin"); if ($cookie ne $pin) { print $q->redirect("login"); @@ -334,7 +342,24 @@ sub handler { &debug_log("TPS wizard: uri='" . $ENV{REQUEST_URI} . "'"); my @pnames = $q->param(); foreach $pn (@pnames) { - if ($pn =~ /^__/) { + # added this facility so that password can be hidden, + # all sensitive parameters should be prefixed with + # __ (double underscores); however, in the event that + # a security parameter slips through, we perform multiple + # additional checks to insure that it is NOT displayed + if( $pn =~ /^__/ || + $pn =~ /password$/ || + $pn =~ /passwd$/ || + $pn =~ /pwd$/ || + $pn =~ /admin_password_again/i || + $pn =~ /bindpassword/i || + $pn =~ /bindpwd/i || + $pn =~ /passwd/i || + $pn =~ /password/i || + $pn =~ /pin/i || + $pn =~ /pwd/i || + $pn =~ /pwdagain/i || + $pn =~ /uPasswd/i ) { &debug_log("TPS wizard: http parameter name='" . $pn . "' value='(sensitive)'"); } else { &debug_log("TPS wizard: http parameter name='" . $pn . "' value='" . $q->param($pn) . "'"); |