From 131fbeff0397aa4e98bab8a22f0a1d366f223f05 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 22 May 2017 22:36:18 +0300
Subject: [PATCH] krb5: make sure KDC certificate is readable
When requesting certificate for KDC profile, make sure its public part
is actually readable to others.
Fixes https://pagure.io/freeipa/issue/6973
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
---
install/restart_scripts/renew_kdc_cert | 4 ----
ipalib/install/certmonger.py | 12 +++++++++---
ipaserver/install/krbinstance.py | 3 ++-
3 files changed, 11 insertions(+), 8 deletions(-)
diff --git a/install/restart_scripts/renew_kdc_cert b/install/restart_scripts/renew_kdc_cert
index 9247920874fc9540ac3421dd59fd902cc195243f..14902893f0e61e31f798fa39737a6ed9d31de111 100755
--- a/install/restart_scripts/renew_kdc_cert
+++ b/install/restart_scripts/renew_kdc_cert
@@ -3,19 +3,15 @@
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
#
-import os
import syslog
import traceback
from ipaplatform import services
-from ipaplatform.paths import paths
from ipaserver.install import certs
def main():
with certs.renewal_lock:
- os.chmod(paths.KDC_CERT, 0o644)
-
try:
if services.knownservices.krb5kdc.is_running():
syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc')
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
index 5709853ffebdbf58929b9a935e906ae67341bea8..ad031a738f4397d230ed131bde6ac7ddb7ef6fdb 100644
--- a/ipalib/install/certmonger.py
+++ b/ipalib/install/certmonger.py
@@ -302,7 +302,7 @@ def add_subject(request_id, subject):
def request_and_wait_for_cert(
certpath, subject, principal, nickname=None, passwd_fname=None,
dns=None, ca='IPA', profile=None,
- pre_command=None, post_command=None, storage='NSSDB'):
+ pre_command=None, post_command=None, storage='NSSDB', perms=None):
"""
Execute certmonger to request a server certificate.
@@ -310,7 +310,7 @@ def request_and_wait_for_cert(
"""
reqId = request_cert(certpath, subject, principal, nickname,
passwd_fname, dns, ca, profile,
- pre_command, post_command, storage)
+ pre_command, post_command, storage, perms)
state = wait_for_request(reqId, api.env.startup_timeout)
ca_error = get_request_value(reqId, 'ca-error')
if state != 'MONITORING' or ca_error:
@@ -321,12 +321,14 @@ def request_and_wait_for_cert(
def request_cert(
certpath, subject, principal, nickname=None, passwd_fname=None,
dns=None, ca='IPA', profile=None,
- pre_command=None, post_command=None, storage='NSSDB'):
+ pre_command=None, post_command=None, storage='NSSDB', perms=None):
"""
Execute certmonger to request a server certificate.
``dns``
A sequence of DNS names to appear in SAN request extension.
+ ``perms``
+ A tuple of (cert, key) permissions in e.g., (0644,0660)
"""
if storage == 'FILE':
certfile, keyfile = certpath
@@ -367,6 +369,10 @@ def request_cert(
post_command = certmonger_cmd_template % (post_command)
request_parameters['cert-postsave-command'] = post_command
+ if perms:
+ request_parameters['key-perms'] = perms[0]
+ request_parameters['cert-perms'] = perms[1]
+
result = cm.obj_if.add_request(request_parameters)
try:
if result[0]:
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index 1692e0b2badb23c18386346a552c83881018cf60..a1053d55ccaae17bef93547c036fb9d08d296f0b 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -432,7 +432,8 @@ class KrbInstance(service.Service):
dns=self.fqdn,
storage='FILE',
profile=KDC_PROFILE,
- post_command='renew_kdc_cert')
+ post_command='renew_kdc_cert',
+ perms=(0o644, 0o600))
except dbus.DBusException as e:
# if the certificate is already tracked, ignore the error
name = e.get_dbus_name()
--
2.9.4