diff options
author | Christian Heimes <cheimes@redhat.com> | 2016-08-08 15:05:52 +0200 |
---|---|---|
committer | Martin Basti <mbasti@redhat.com> | 2016-08-24 16:59:43 +0200 |
commit | d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0 (patch) | |
tree | 0c76c3fad20300f334448f0e59a268a5783dbc17 /ipapython | |
parent | 9021b649661ed135a4ee18ffe3728d661e6674a6 (diff) | |
download | freeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.tar.gz freeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.tar.xz freeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.zip |
Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.
https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipapython')
-rw-r--r-- | ipapython/secrets/kem.py | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index d45efe8cc..fb51e64a6 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -1,6 +1,7 @@ # Copyright (C) 2015 IPA Project Contributors, see COPYING for license from __future__ import print_function +import os from ipaplatform.paths import paths from six.moves.configparser import ConfigParser from ipapython.dn import DN @@ -143,7 +144,9 @@ class KEMLdap(iSecLdap): def newServerKeys(path, keyid): skey = JWK(generate='RSA', use='sig', kid=keyid) ekey = JWK(generate='RSA', use='enc', kid=keyid) - with open(path, 'w+') as f: + with open(path, 'w') as f: + os.fchmod(f.fileno(), 0o600) + os.fchown(f.fileno(), 0, 0) f.write('[%s,%s]' % (skey.export(), ekey.export())) return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')] |