From 9e724963967a79fd171e79d2353ec7b655f13c47 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Thu, 11 May 2017 07:00:42 +0000

Subject: [PATCH] certs: do not export keys world-readable in

 install_key_from_p12

Make sure the exported private key files are readable only by the owner.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

 ipaserver/install/certs.py | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py

index 17b9ebad4a128e292e453af44ca9d63cfb1e6ea2..06a7e2143964484fa45106ca381043eb440dc5b1 100644

--- a/ipaserver/install/certs.py

+++ b/ipaserver/install/certs.py

@@ -73,7 +73,8 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname):

     pwd = ipautil.write_tmp_file(p12_passwd)

     ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts",

                  "-in", p12_fname, "-out", pem_fname,

-                 "-passin", "file:" + pwd.name])

+                 "-passin", "file:" + pwd.name],

+                umask=0o077)

 def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):

-- 

2.9.4