From 9e724963967a79fd171e79d2353ec7b655f13c47 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 11 May 2017 07:00:42 +0000 Subject: [PATCH] certs: do not export keys world-readable in install_key_from_p12 Make sure the exported private key files are readable only by the owner. https://pagure.io/freeipa/issue/6831 Reviewed-By: Stanislav Laznicka Reviewed-By: Martin Babinsky --- ipaserver/install/certs.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 17b9ebad4a128e292e453af44ca9d63cfb1e6ea2..06a7e2143964484fa45106ca381043eb440dc5b1 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -73,7 +73,8 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname): pwd = ipautil.write_tmp_file(p12_passwd) ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts", "-in", p12_fname, "-out", pem_fname, - "-passin", "file:" + pwd.name]) + "-passin", "file:" + pwd.name], + umask=0o077) def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname): -- 2.9.4