From 4d6a58a6e4af720a376699ba7c49ecfa3be88da4 Mon Sep 17 00:00:00 2001 From: Dave Brolley Date: Thu, 29 Jan 2009 15:28:02 -0500 Subject: Improved certificate security for the client/server. --- stap-gen-server-cert | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'stap-gen-server-cert') diff --git a/stap-gen-server-cert b/stap-gen-server-cert index f6445d8d..9b4a776b 100755 --- a/stap-gen-server-cert +++ b/stap-gen-server-cert @@ -43,7 +43,7 @@ rm -fr $1 # Create the server's certificate database directory. serverdb=$1/server -if ! mkdir -p $serverdb; then +if ! mkdir -p -m 755 $serverdb; then echo "Unable to create the server certificate database directory: $serverdb" >&2 exit 1 fi @@ -73,6 +73,12 @@ dd bs=123 count=1 < /dev/urandom > $1/noise 2> /dev/null certutil -R -d $serverdb -f $serverdb/pw -s "CN=Systemtap Compile Server, OU=Systemtap, O=Red Hat, C=US" -o $1/stap-server.req -z $1/noise 2> /dev/null rm -fr $1/noise +# Create the certificate file first so that it always has the proper access permissions. +if ! (touch $serverdb/stap-server.cert && chmod 644 $serverdb/stap-server.cert); then + echo "Unable to create the server certificate file: $serverdb/stap-server.cert" >&2 + exit 1 +fi + # Now generate the actual certificate. certutil -C -i $1/stap-server.req -o $serverdb/stap-server.cert -x -d $serverdb -f $serverdb/pw -5 -8 "$HOSTNAME,localhost" >/dev/null <<-EOF 1 @@ -83,10 +89,5 @@ y EOF rm -fr $1/stap-server.req -# Ensure that the certificate is readable by others. -if ! chmod +r $serverdb/stap-server.cert; then - echo "Warning: unable to make the server's certificate $serverdb/stap-server.cert readable by others" >&2 -fi - # Add the certificate to the server's certificate/key database as a trusted peer, ssl server and object signer certutil -A -n stap-server -t "PCu,,PCu" -i $serverdb/stap-server.cert -d $serverdb -f $serverdb/pw -- cgit