summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--ipapython/secrets/kem.py5
-rw-r--r--ipaserver/install/custodiainstance.py5
2 files changed, 9 insertions, 1 deletions
diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py
index d45efe8cc..fb51e64a6 100644
--- a/ipapython/secrets/kem.py
+++ b/ipapython/secrets/kem.py
@@ -1,6 +1,7 @@
# Copyright (C) 2015 IPA Project Contributors, see COPYING for license
from __future__ import print_function
+import os
from ipaplatform.paths import paths
from six.moves.configparser import ConfigParser
from ipapython.dn import DN
@@ -143,7 +144,9 @@ class KEMLdap(iSecLdap):
def newServerKeys(path, keyid):
skey = JWK(generate='RSA', use='sig', kid=keyid)
ekey = JWK(generate='RSA', use='enc', kid=keyid)
- with open(path, 'w+') as f:
+ with open(path, 'w') as f:
+ os.fchmod(f.fileno(), 0o600)
+ os.fchown(f.fileno(), 0, 0)
f.write('[%s,%s]' % (skey.export(), ekey.export()))
return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')]
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index fd30430bb..785f86fc1 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -15,6 +15,7 @@ from jwcrypto.common import json_decode
import functools
import shutil
import os
+import stat
import tempfile
import pwd
@@ -73,6 +74,10 @@ class CustodiaInstance(SimpleServiceInstance):
if not sysupgrade.get_upgrade_state("custodia", "installed"):
root_logger.info("Custodia service is being configured")
self.create_instance()
+ mode = os.stat(self.server_keys).st_mode
+ if stat.S_IMODE(mode) != 0o600:
+ root_logger.info("Secure server.keys mode")
+ os.chmod(self.server_keys, 0o600)
def create_replica(self, master_host_name):
suffix = ipautil.realm_to_suffix(self.realm)
generated by cgit (git 2.34.1) at 2025-09-12 09:51:56 +0000