From 3b41a53830fc7d0fdb301437cdceb7fcddff25a5 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Mon, 21 Sep 2015 08:32:04 +0200
Subject: [PATCH] install: fix KRA agent PEM file permissions

This fixes CVE-2015-5284.

https://fedorahosted.org/freeipa/ticket/5347

Reviewed-By: Martin Basti <mbasti@redhat.com>
---
 install/restart_scripts/renew_ra_cert |  8 +-------
 ipaserver/install/dogtaginstance.py   | 22 ++++++++++++++++++++++
 ipaserver/install/krainstance.py      | 12 +++---------
 ipaserver/install/server/upgrade.py   | 19 +++++++++++++++++++
 4 files changed, 45 insertions(+), 16 deletions(-)

diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
index 93ffd4035723831f3955bcdf5a2082fd1ec5e22a..8a6bf3f7c1081db9710cf29e0f8e5f705d920b72 100644
--- a/install/restart_scripts/renew_ra_cert
+++ b/install/restart_scripts/renew_ra_cert
@@ -63,13 +63,7 @@ def _main():
 
         kra = krainstance.KRAInstance(api.env.realm)
         if kra.is_installed():
-            # export ipaCert with private key for client authentication
-            args = ["/usr/bin/pki",
-                    "-d", paths.HTTPD_ALIAS_DIR,
-                    "-C", paths.ALIAS_PWDFILE_TXT,
-                    "client-cert-show", "ipaCert",
-                    "--client-cert", paths.KRA_AGENT_PEM]
-            ipautil.run(args)
+            krainstance.export_kra_agent_pem()
     finally:
         shutil.rmtree(tmpdir)
 
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
index 33f39f7930b4151200f2880d02a0bc2c152c0025..940b3ea9b13897d7e9e2878a47a8c66ce5ce9f0a 100644
--- a/ipaserver/install/dogtaginstance.py
+++ b/ipaserver/install/dogtaginstance.py
@@ -23,6 +23,7 @@ import shutil
 import tempfile
 import traceback
 import dbus
+import pwd
 
 from pki.client import PKIConnection
 import pki.system
@@ -88,6 +89,27 @@ def is_installing_replica(sys_type):
         return False
 
 
+def export_kra_agent_pem():
+    """
+    Export ipaCert with private key for client authentication.
+    """
+    fd, filename = tempfile.mkstemp(dir=paths.HTTPD_ALIAS_DIR)
+    os.close(fd)
+
+    args = ["/usr/bin/pki",
+            "-d", paths.HTTPD_ALIAS_DIR,
+            "-C", paths.ALIAS_PWDFILE_TXT,
+            "client-cert-show", "ipaCert",
+            "--client-cert", filename]
+    ipautil.run(args)
+
+    pent = pwd.getpwnam("apache")
+    os.chown(filename, 0, pent.pw_gid)
+    os.chmod(filename, 0o440)
+
+    os.rename(filename, paths.KRA_AGENT_PEM)
+
+
 class DogtagInstance(service.Service):
     """
     This is the base class for a Dogtag 10+ instance, which uses a
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 48268b0be5331cced1aee6b7f3358333b65de6dd..0000192745b6d7f9f402267e435f7223f1bf8849 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -37,8 +37,8 @@ from ipaserver.install import cainstance
 from ipaserver.install import installutils
 from ipaserver.install import ldapupdate
 from ipaserver.install import service
-from ipaserver.install.dogtaginstance import DogtagInstance
-from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
+from ipaserver.install.dogtaginstance import (
+    DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
 from ipaserver.plugins import ldap2
 from ipapython.ipa_log_manager import log_mgr
 
@@ -262,13 +262,7 @@ class KRAInstance(DogtagInstance):
 
         shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
 
-        # export ipaCert with private key for client authentication
-        args = ["/usr/bin/pki",
-            "-d", paths.HTTPD_ALIAS_DIR,
-            "-C", paths.ALIAS_PWDFILE_TXT,
-            "client-cert-show", "ipaCert",
-            "--client-cert", paths.KRA_AGENT_PEM]
-        ipautil.run(args)
+        export_kra_agent_pem()
 
         self.log.debug("completed creating KRA instance")
 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0194f75477321a9e1660335ac8283d35aff8a0ec..ab08c62352c0e5cf145f299e7727886b2f295037 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -35,6 +35,7 @@ from ipaserver.install import otpdinstance
 from ipaserver.install import schemaupdate
 from ipaserver.install import sysupgrade
 from ipaserver.install import dnskeysyncinstance
+from ipaserver.install import krainstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -1244,6 +1245,23 @@ def fix_trust_flags():
     sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
 
 
+def export_kra_agent_pem():
+    root_logger.info('[Exporting KRA agent PEM file]')
+
+    if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
+        root_logger.info("KRA agent PEM file already exported")
+        return
+
+    kra = krainstance.KRAInstance(api.env.realm)
+    if not kra.is_installed():
+        root_logger.info("KRA is not installed")
+        return
+
+    krainstance.export_kra_agent_pem()
+
+    sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
+
+
 def update_mod_nss_protocol(http):
     root_logger.info('[Updating mod_nss protocol versions]')
 
@@ -1446,6 +1464,7 @@ def upgrade_configuration():
     http.stop()
     update_mod_nss_protocol(http)
     fix_trust_flags()
+    export_kra_agent_pem()
     http.start()
 
     uninstall_selfsign(ds, http)
-- 
2.4.3