|
 |
590d18 |
From 3b41a53830fc7d0fdb301437cdceb7fcddff25a5 Mon Sep 17 00:00:00 2001
|
|
|
590d18 |
From: Jan Cholasta <jcholast@redhat.com>
|
|
|
590d18 |
Date: Mon, 21 Sep 2015 08:32:04 +0200
|
|
|
590d18 |
Subject: [PATCH] install: fix KRA agent PEM file permissions
|
|
|
590d18 |
|
|
|
590d18 |
This fixes CVE-2015-5284.
|
|
|
590d18 |
|
|
|
590d18 |
https://fedorahosted.org/freeipa/ticket/5347
|
|
|
590d18 |
|
|
|
590d18 |
Reviewed-By: Martin Basti <mbasti@redhat.com>
|
|
|
590d18 |
---
|
|
|
590d18 |
install/restart_scripts/renew_ra_cert | 8 +-------
|
|
|
590d18 |
ipaserver/install/dogtaginstance.py | 22 ++++++++++++++++++++++
|
|
|
590d18 |
ipaserver/install/krainstance.py | 12 +++---------
|
|
|
590d18 |
ipaserver/install/server/upgrade.py | 19 +++++++++++++++++++
|
|
|
590d18 |
4 files changed, 45 insertions(+), 16 deletions(-)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/install/restart_scripts/renew_ra_cert b/install/restart_scripts/renew_ra_cert
|
|
|
590d18 |
index 93ffd4035723831f3955bcdf5a2082fd1ec5e22a..8a6bf3f7c1081db9710cf29e0f8e5f705d920b72 100644
|
|
|
590d18 |
--- a/install/restart_scripts/renew_ra_cert
|
|
|
590d18 |
+++ b/install/restart_scripts/renew_ra_cert
|
|
|
590d18 |
@@ -63,13 +63,7 @@ def _main():
|
|
|
590d18 |
|
|
|
590d18 |
kra = krainstance.KRAInstance(api.env.realm)
|
|
|
590d18 |
if kra.is_installed():
|
|
|
590d18 |
- # export ipaCert with private key for client authentication
|
|
|
590d18 |
- args = ["/usr/bin/pki",
|
|
|
590d18 |
- "-d", paths.HTTPD_ALIAS_DIR,
|
|
|
590d18 |
- "-C", paths.ALIAS_PWDFILE_TXT,
|
|
|
590d18 |
- "client-cert-show", "ipaCert",
|
|
|
590d18 |
- "--client-cert", paths.KRA_AGENT_PEM]
|
|
|
590d18 |
- ipautil.run(args)
|
|
|
590d18 |
+ krainstance.export_kra_agent_pem()
|
|
|
590d18 |
finally:
|
|
|
590d18 |
shutil.rmtree(tmpdir)
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py
|
|
|
590d18 |
index 33f39f7930b4151200f2880d02a0bc2c152c0025..940b3ea9b13897d7e9e2878a47a8c66ce5ce9f0a 100644
|
|
|
590d18 |
--- a/ipaserver/install/dogtaginstance.py
|
|
|
590d18 |
+++ b/ipaserver/install/dogtaginstance.py
|
|
|
590d18 |
@@ -23,6 +23,7 @@ import shutil
|
|
|
590d18 |
import tempfile
|
|
|
590d18 |
import traceback
|
|
|
590d18 |
import dbus
|
|
|
590d18 |
+import pwd
|
|
|
590d18 |
|
|
|
590d18 |
from pki.client import PKIConnection
|
|
|
590d18 |
import pki.system
|
|
|
590d18 |
@@ -88,6 +89,27 @@ def is_installing_replica(sys_type):
|
|
|
590d18 |
return False
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
+def export_kra_agent_pem():
|
|
|
590d18 |
+ """
|
|
|
590d18 |
+ Export ipaCert with private key for client authentication.
|
|
|
590d18 |
+ """
|
|
|
590d18 |
+ fd, filename = tempfile.mkstemp(dir=paths.HTTPD_ALIAS_DIR)
|
|
|
590d18 |
+ os.close(fd)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ args = ["/usr/bin/pki",
|
|
|
590d18 |
+ "-d", paths.HTTPD_ALIAS_DIR,
|
|
|
590d18 |
+ "-C", paths.ALIAS_PWDFILE_TXT,
|
|
|
590d18 |
+ "client-cert-show", "ipaCert",
|
|
|
590d18 |
+ "--client-cert", filename]
|
|
|
590d18 |
+ ipautil.run(args)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ pent = pwd.getpwnam("apache")
|
|
|
590d18 |
+ os.chown(filename, 0, pent.pw_gid)
|
|
|
590d18 |
+ os.chmod(filename, 0o440)
|
|
|
590d18 |
+
|
|
|
590d18 |
+ os.rename(filename, paths.KRA_AGENT_PEM)
|
|
|
590d18 |
+
|
|
|
590d18 |
+
|
|
|
590d18 |
class DogtagInstance(service.Service):
|
|
|
590d18 |
"""
|
|
|
590d18 |
This is the base class for a Dogtag 10+ instance, which uses a
|
|
|
590d18 |
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
|
|
|
590d18 |
index 48268b0be5331cced1aee6b7f3358333b65de6dd..0000192745b6d7f9f402267e435f7223f1bf8849 100644
|
|
|
590d18 |
--- a/ipaserver/install/krainstance.py
|
|
|
590d18 |
+++ b/ipaserver/install/krainstance.py
|
|
|
590d18 |
@@ -37,8 +37,8 @@ from ipaserver.install import cainstance
|
|
|
590d18 |
from ipaserver.install import installutils
|
|
|
590d18 |
from ipaserver.install import ldapupdate
|
|
|
590d18 |
from ipaserver.install import service
|
|
|
590d18 |
-from ipaserver.install.dogtaginstance import DogtagInstance
|
|
|
590d18 |
-from ipaserver.install.dogtaginstance import DEFAULT_DSPORT, PKI_USER
|
|
|
590d18 |
+from ipaserver.install.dogtaginstance import (
|
|
|
590d18 |
+ DEFAULT_DSPORT, PKI_USER, export_kra_agent_pem, DogtagInstance)
|
|
|
590d18 |
from ipaserver.plugins import ldap2
|
|
|
590d18 |
from ipapython.ipa_log_manager import log_mgr
|
|
|
590d18 |
|
|
|
590d18 |
@@ -262,13 +262,7 @@ class KRAInstance(DogtagInstance):
|
|
|
590d18 |
|
|
|
590d18 |
shutil.move(paths.KRA_BACKUP_KEYS_P12, paths.KRACERT_P12)
|
|
|
590d18 |
|
|
|
590d18 |
- # export ipaCert with private key for client authentication
|
|
|
590d18 |
- args = ["/usr/bin/pki",
|
|
|
590d18 |
- "-d", paths.HTTPD_ALIAS_DIR,
|
|
|
590d18 |
- "-C", paths.ALIAS_PWDFILE_TXT,
|
|
|
590d18 |
- "client-cert-show", "ipaCert",
|
|
|
590d18 |
- "--client-cert", paths.KRA_AGENT_PEM]
|
|
|
590d18 |
- ipautil.run(args)
|
|
|
590d18 |
+ export_kra_agent_pem()
|
|
|
590d18 |
|
|
|
590d18 |
self.log.debug("completed creating KRA instance")
|
|
|
590d18 |
|
|
|
590d18 |
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
|
|
|
590d18 |
index 0194f75477321a9e1660335ac8283d35aff8a0ec..ab08c62352c0e5cf145f299e7727886b2f295037 100644
|
|
|
590d18 |
--- a/ipaserver/install/server/upgrade.py
|
|
|
590d18 |
+++ b/ipaserver/install/server/upgrade.py
|
|
|
590d18 |
@@ -35,6 +35,7 @@ from ipaserver.install import otpdinstance
|
|
|
590d18 |
from ipaserver.install import schemaupdate
|
|
|
590d18 |
from ipaserver.install import sysupgrade
|
|
|
590d18 |
from ipaserver.install import dnskeysyncinstance
|
|
|
590d18 |
+from ipaserver.install import krainstance
|
|
|
590d18 |
from ipaserver.install.upgradeinstance import IPAUpgrade
|
|
|
590d18 |
from ipaserver.install.ldapupdate import BadSyntax
|
|
|
590d18 |
|
|
|
590d18 |
@@ -1244,6 +1245,23 @@ def fix_trust_flags():
|
|
|
590d18 |
sysupgrade.set_upgrade_state('http', 'fix_trust_flags', True)
|
|
|
590d18 |
|
|
|
590d18 |
|
|
|
590d18 |
+def export_kra_agent_pem():
|
|
|
590d18 |
+ root_logger.info('[Exporting KRA agent PEM file]')
|
|
|
590d18 |
+
|
|
|
590d18 |
+ if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'):
|
|
|
590d18 |
+ root_logger.info("KRA agent PEM file already exported")
|
|
|
590d18 |
+ return
|
|
|
590d18 |
+
|
|
|
590d18 |
+ kra = krainstance.KRAInstance(api.env.realm)
|
|
|
590d18 |
+ if not kra.is_installed():
|
|
|
590d18 |
+ root_logger.info("KRA is not installed")
|
|
|
590d18 |
+ return
|
|
|
590d18 |
+
|
|
|
590d18 |
+ krainstance.export_kra_agent_pem()
|
|
|
590d18 |
+
|
|
|
590d18 |
+ sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True)
|
|
|
590d18 |
+
|
|
|
590d18 |
+
|
|
|
590d18 |
def update_mod_nss_protocol(http):
|
|
|
590d18 |
root_logger.info('[Updating mod_nss protocol versions]')
|
|
|
590d18 |
|
|
|
590d18 |
@@ -1446,6 +1464,7 @@ def upgrade_configuration():
|
|
|
590d18 |
http.stop()
|
|
|
590d18 |
update_mod_nss_protocol(http)
|
|
|
590d18 |
fix_trust_flags()
|
|
|
590d18 |
+ export_kra_agent_pem()
|
|
|
590d18 |
http.start()
|
|
|
590d18 |
|
|
|
590d18 |
uninstall_selfsign(ds, http)
|
|
|
590d18 |
--
|
|
|
590d18 |
2.4.3
|
|
|
590d18 |
|