diff options
| author | Jan Cholasta <jcholast@redhat.com> | 2015-09-21 08:32:04 +0200 |
|---|---|---|
| committer | Jan Cholasta <jcholast@redhat.com> | 2015-10-08 13:41:08 +0200 |
| commit | 110e85cc74051b02556ca2c43176c9ded40e75aa (patch) | |
| tree | 8ba221ea3fc4033e6ebbc79cc52be0e7ca25c741 /install/restart_scripts | |
| parent | 0b797da56095801bfa80653465c04bae0809df8d (diff) | |
| download | freeipa-110e85cc74051b02556ca2c43176c9ded40e75aa.tar.gz freeipa-110e85cc74051b02556ca2c43176c9ded40e75aa.tar.xz freeipa-110e85cc74051b02556ca2c43176c9ded40e75aa.zip | |
install: fix KRA agent PEM file permissions
This fixes CVE-2015-5284.
https://fedorahosted.org/freeipa/ticket/5347
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'install/restart_scripts')
| -rw-r--r-- | install/restart_scripts/renew_ra_cert | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert index 4337e7a44..57cfd92ad 100644 --- a/install/restart_scripts/renew_ra_cert +++ b/install/restart_scripts/renew_ra_cert @@ -63,13 +63,7 @@ def _main(): kra = krainstance.KRAInstance(api.env.realm) if kra.is_installed(): - # export ipaCert with private key for client authentication - args = ["/usr/bin/pki", - "-d", paths.HTTPD_ALIAS_DIR, - "-C", paths.ALIAS_PWDFILE_TXT, - "client-cert-show", "ipaCert", - "--client-cert", paths.KRA_AGENT_PEM] - ipautil.run(args) + krainstance.export_kra_agent_pem() finally: shutil.rmtree(tmpdir) |