summaryrefslogtreecommitdiffstats
path: root/ipaserver/install/custodiainstance.py
diff options
context:
space:
mode:
authorChristian Heimes <cheimes@redhat.com>2016-08-08 15:05:52 +0200
committerMartin Basti <mbasti@redhat.com>2016-08-24 16:59:43 +0200
commitd9ab0097e15618b0c614b3fdfa2ac4ea52b902c0 (patch)
tree0c76c3fad20300f334448f0e59a268a5783dbc17 /ipaserver/install/custodiainstance.py
parent9021b649661ed135a4ee18ffe3728d661e6674a6 (diff)
downloadfreeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.tar.gz
freeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.tar.xz
freeipa-d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0.zip
Secure permissions of Custodia server.keys
Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6056 Reviewed-By: Martin Basti <mbasti@redhat.com>
Diffstat (limited to 'ipaserver/install/custodiainstance.py')
-rw-r--r--ipaserver/install/custodiainstance.py5
1 files changed, 5 insertions, 0 deletions
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index fd30430bb..785f86fc1 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -15,6 +15,7 @@ from jwcrypto.common import json_decode
import functools
import shutil
import os
+import stat
import tempfile
import pwd
@@ -73,6 +74,10 @@ class CustodiaInstance(SimpleServiceInstance):
if not sysupgrade.get_upgrade_state("custodia", "installed"):
root_logger.info("Custodia service is being configured")
self.create_instance()
+ mode = os.stat(self.server_keys).st_mode
+ if stat.S_IMODE(mode) != 0o600:
+ root_logger.info("Secure server.keys mode")
+ os.chmod(self.server_keys, 0o600)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)
generated by cgit (git 2.34.1) at 2025-09-12 07:29:24 +0000