diff options
| author | Christian Heimes <cheimes@redhat.com> | 2016-08-08 15:05:52 +0200 |
|---|---|---|
| committer | Martin Basti <mbasti@redhat.com> | 2016-08-24 16:59:43 +0200 |
| commit | d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0 (patch) | |
| tree | 0c76c3fad20300f334448f0e59a268a5783dbc17 | |
| parent | 9021b649661ed135a4ee18ffe3728d661e6674a6 (diff) | |
Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
Reviewed-By: Martin Basti <mbasti@redhat.com>
| -rw-r--r-- | ipapython/secrets/kem.py | 5 | ||||
| -rw-r--r-- | ipaserver/install/custodiainstance.py | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index d45efe8cc..fb51e64a6 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 IPA Project Contributors, see COPYING for license from __future__ import print_function +import os from ipaplatform.paths import paths from six.moves.configparser import ConfigParser from ipapython.dn import DN @@ -143,7 +144,9 @@ class KEMLdap(iSecLdap): def newServerKeys(path, keyid): skey = JWK(generate='RSA', use='sig', kid=keyid) ekey = JWK(generate='RSA', use='enc', kid=keyid) - with open(path, 'w+') as f: + with open(path, 'w') as f: + os.fchmod(f.fileno(), 0o600) + os.fchown(f.fileno(), 0, 0) f.write('[%s,%s]' % (skey.export(), ekey.export())) return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')] diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index fd30430bb..785f86fc1 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -15,6 +15,7 @@ from jwcrypto.common import json_decode import functools import shutil import os +import stat import tempfile import pwd @@ -73,6 +74,10 @@ class CustodiaInstance(SimpleServiceInstance): if not sysupgrade.get_upgrade_state("custodia", "installed"): root_logger.info("Custodia service is being configured") self.create_instance() + mode = os.stat(self.server_keys).st_mode + if stat.S_IMODE(mode) != 0o600: + root_logger.info("Secure server.keys mode") + os.chmod(self.server_keys, 0o600) def create_replica(self, master_host_name): suffix = ipautil.realm_to_suffix(self.realm) |