Tree - rpms/ipa - CentOS Git server

rpms / ipa

Blame SOURCES/0097-Secure-permissions-of-Custodia-server.keys.patch

Blob History Raw

		403b09	`From f7d3a49f3cf88b5950b11a19785794348d072c20 Mon Sep 17 00:00:00 2001`
		403b09	`From: Christian Heimes <cheimes@redhat.com>`
		403b09	`Date: Mon, 8 Aug 2016 15:05:52 +0200`
		403b09	`Subject: [PATCH] Secure permissions of Custodia server.keys`
		403b09
		403b09	`Custodia's server.keys file contain the private RSA keys for encrypting`
		403b09	`and signing Custodia messages. The file was created with permission 644`
		403b09	`and is only secured by permission 700 of the directory`
		403b09	`/etc/ipa/custodia. The installer and upgrader ensure that the file`
		403b09	`has 600.`
		403b09
		403b09	`https://bugzilla.redhat.com/show_bug.cgi?id=1353936`
		403b09	`https://fedorahosted.org/freeipa/ticket/6056`
		403b09
		403b09	`Reviewed-By: Martin Basti <mbasti@redhat.com>`
		403b09	`---`
		403b09	`ipapython/secrets/kem.py \| 5 ++++-`
		403b09	`ipaserver/install/custodiainstance.py \| 5 +++++`
		403b09	`2 files changed, 9 insertions(+), 1 deletion(-)`
		403b09
		403b09	`diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py`
		403b09	`index d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d..fb51e64a678bbdec45d690a5223bd61f84ef770e 100644`
		403b09	`--- a/ipapython/secrets/kem.py`
		403b09	`+++ b/ipapython/secrets/kem.py`
		403b09	`@@ -1,6 +1,7 @@`
		403b09	`# Copyright (C) 2015 IPA Project Contributors, see COPYING for license`
		403b09
		403b09	`from __future__ import print_function`
		403b09	`+import os`
		403b09	`from ipaplatform.paths import paths`
		403b09	`from six.moves.configparser import ConfigParser`
		403b09	`from ipapython.dn import DN`
		403b09	`@@ -143,7 +144,9 @@ class KEMLdap(iSecLdap):`
		403b09	`def newServerKeys(path, keyid):`
		403b09	`skey = JWK(generate='RSA', use='sig', kid=keyid)`
		403b09	`ekey = JWK(generate='RSA', use='enc', kid=keyid)`
		403b09	`- with open(path, 'w+') as f:`
		403b09	`+ with open(path, 'w') as f:`
		403b09	`+ os.fchmod(f.fileno(), 0o600)`
		403b09	`+ os.fchown(f.fileno(), 0, 0)`
		403b09	`f.write('[%s,%s]' % (skey.export(), ekey.export()))`
		403b09	`return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')]`
		403b09
		403b09	`diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py`
		403b09	`index fd30430bbf9c39e7153986999199474cfca60d09..785f86fc159f2d73184ea5bb3c0303cecde153df 100644`
		403b09	`--- a/ipaserver/install/custodiainstance.py`
		403b09	`+++ b/ipaserver/install/custodiainstance.py`
		403b09	`@@ -15,6 +15,7 @@ from jwcrypto.common import json_decode`
		403b09	`import functools`
		403b09	`import shutil`
		403b09	`import os`
		403b09	`+import stat`
		403b09	`import tempfile`
		403b09	`import pwd`
		403b09
		403b09	`@@ -73,6 +74,10 @@ class CustodiaInstance(SimpleServiceInstance):`
		403b09	`if not sysupgrade.get_upgrade_state("custodia", "installed"):`
		403b09	`root_logger.info("Custodia service is being configured")`
		403b09	`self.create_instance()`
		403b09	`+ mode = os.stat(self.server_keys).st_mode`
		403b09	`+ if stat.S_IMODE(mode) != 0o600:`
		403b09	`+ root_logger.info("Secure server.keys mode")`
		403b09	`+ os.chmod(self.server_keys, 0o600)`
		403b09
		403b09	`def create_replica(self, master_host_name):`
		403b09	`suffix = ipautil.realm_to_suffix(self.realm)`
		403b09	`--`
		403b09	`2.7.4`
		403b09

rpms / ipa

Source Code

Blame SOURCES/0097-Secure-permissions-of-Custodia-server.keys.patch