From 131fbeff0397aa4e98bab8a22f0a1d366f223f05 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 Reviewed-By: Simo Sorce Reviewed-By: Jan Cholasta --- install/restart_scripts/renew_kdc_cert | 4 ---- ipalib/install/certmonger.py | 12 +++++++++--- ipaserver/install/krbinstance.py | 3 ++- 3 files changed, 11 insertions(+), 8 deletions(-) diff --git a/install/restart_scripts/renew_kdc_cert b/install/restart_scripts/renew_kdc_cert index 9247920874fc9540ac3421dd59fd902cc195243f..14902893f0e61e31f798fa39737a6ed9d31de111 100755 --- a/install/restart_scripts/renew_kdc_cert +++ b/install/restart_scripts/renew_kdc_cert @@ -3,19 +3,15 @@ # Copyright (C) 2017 FreeIPA Contributors see COPYING for license # -import os import syslog import traceback from ipaplatform import services -from ipaplatform.paths import paths from ipaserver.install import certs def main(): with certs.renewal_lock: - os.chmod(paths.KDC_CERT, 0o644) - try: if services.knownservices.krb5kdc.is_running(): syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc') diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffebdbf58929b9a935e906ae67341bea8..ad031a738f4397d230ed131bde6ac7ddb7ef6fdb 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, - pre_command=None, post_command=None, storage='NSSDB'): + pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, - pre_command=None, post_command=None, storage='NSSDB'): + pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. + ``perms`` + A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command + if perms: + request_parameters['key-perms'] = perms[0] + request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2badb23c18386346a552c83881018cf60..a1053d55ccaae17bef93547c036fb9d08d296f0b 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ class KrbInstance(service.Service): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, - post_command='renew_kdc_cert') + post_command='renew_kdc_cert', + perms=(0o644, 0o600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name() -- 2.9.4