|
 |
ac7d03 |
From 131fbeff0397aa4e98bab8a22f0a1d366f223f05 Mon Sep 17 00:00:00 2001
|
|
|
ac7d03 |
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
ac7d03 |
Date: Mon, 22 May 2017 22:36:18 +0300
|
|
|
ac7d03 |
Subject: [PATCH] krb5: make sure KDC certificate is readable
|
|
|
ac7d03 |
|
|
|
ac7d03 |
When requesting certificate for KDC profile, make sure its public part
|
|
|
ac7d03 |
is actually readable to others.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Fixes https://pagure.io/freeipa/issue/6973
|
|
|
ac7d03 |
|
|
|
ac7d03 |
Reviewed-By: Simo Sorce <ssorce@redhat.com>
|
|
|
ac7d03 |
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
|
|
|
ac7d03 |
---
|
|
|
ac7d03 |
install/restart_scripts/renew_kdc_cert | 4 ----
|
|
|
ac7d03 |
ipalib/install/certmonger.py | 12 +++++++++---
|
|
|
ac7d03 |
ipaserver/install/krbinstance.py | 3 ++-
|
|
|
ac7d03 |
3 files changed, 11 insertions(+), 8 deletions(-)
|
|
|
ac7d03 |
|
|
|
ac7d03 |
diff --git a/install/restart_scripts/renew_kdc_cert b/install/restart_scripts/renew_kdc_cert
|
|
|
ac7d03 |
index 9247920874fc9540ac3421dd59fd902cc195243f..14902893f0e61e31f798fa39737a6ed9d31de111 100755
|
|
|
ac7d03 |
--- a/install/restart_scripts/renew_kdc_cert
|
|
|
ac7d03 |
+++ b/install/restart_scripts/renew_kdc_cert
|
|
|
ac7d03 |
@@ -3,19 +3,15 @@
|
|
|
ac7d03 |
# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
|
|
|
ac7d03 |
#
|
|
|
ac7d03 |
|
|
|
ac7d03 |
-import os
|
|
|
ac7d03 |
import syslog
|
|
|
ac7d03 |
import traceback
|
|
|
ac7d03 |
|
|
|
ac7d03 |
from ipaplatform import services
|
|
|
ac7d03 |
-from ipaplatform.paths import paths
|
|
|
ac7d03 |
from ipaserver.install import certs
|
|
|
ac7d03 |
|
|
|
ac7d03 |
|
|
|
ac7d03 |
def main():
|
|
|
ac7d03 |
with certs.renewal_lock:
|
|
|
ac7d03 |
- os.chmod(paths.KDC_CERT, 0o644)
|
|
|
ac7d03 |
-
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
if services.knownservices.krb5kdc.is_running():
|
|
|
ac7d03 |
syslog.syslog(syslog.LOG_NOTICE, 'restarting krb5kdc')
|
|
|
ac7d03 |
diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py
|
|
|
ac7d03 |
index 5709853ffebdbf58929b9a935e906ae67341bea8..ad031a738f4397d230ed131bde6ac7ddb7ef6fdb 100644
|
|
|
ac7d03 |
--- a/ipalib/install/certmonger.py
|
|
|
ac7d03 |
+++ b/ipalib/install/certmonger.py
|
|
|
ac7d03 |
@@ -302,7 +302,7 @@ def add_subject(request_id, subject):
|
|
|
ac7d03 |
def request_and_wait_for_cert(
|
|
|
ac7d03 |
certpath, subject, principal, nickname=None, passwd_fname=None,
|
|
|
ac7d03 |
dns=None, ca='IPA', profile=None,
|
|
|
ac7d03 |
- pre_command=None, post_command=None, storage='NSSDB'):
|
|
|
ac7d03 |
+ pre_command=None, post_command=None, storage='NSSDB', perms=None):
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
Execute certmonger to request a server certificate.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
@@ -310,7 +310,7 @@ def request_and_wait_for_cert(
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
reqId = request_cert(certpath, subject, principal, nickname,
|
|
|
ac7d03 |
passwd_fname, dns, ca, profile,
|
|
|
ac7d03 |
- pre_command, post_command, storage)
|
|
|
ac7d03 |
+ pre_command, post_command, storage, perms)
|
|
|
ac7d03 |
state = wait_for_request(reqId, api.env.startup_timeout)
|
|
|
ac7d03 |
ca_error = get_request_value(reqId, 'ca-error')
|
|
|
ac7d03 |
if state != 'MONITORING' or ca_error:
|
|
|
ac7d03 |
@@ -321,12 +321,14 @@ def request_and_wait_for_cert(
|
|
|
ac7d03 |
def request_cert(
|
|
|
ac7d03 |
certpath, subject, principal, nickname=None, passwd_fname=None,
|
|
|
ac7d03 |
dns=None, ca='IPA', profile=None,
|
|
|
ac7d03 |
- pre_command=None, post_command=None, storage='NSSDB'):
|
|
|
ac7d03 |
+ pre_command=None, post_command=None, storage='NSSDB', perms=None):
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
Execute certmonger to request a server certificate.
|
|
|
ac7d03 |
|
|
|
ac7d03 |
``dns``
|
|
|
ac7d03 |
A sequence of DNS names to appear in SAN request extension.
|
|
|
ac7d03 |
+ ``perms``
|
|
|
ac7d03 |
+ A tuple of (cert, key) permissions in e.g., (0644,0660)
|
|
|
ac7d03 |
"""
|
|
|
ac7d03 |
if storage == 'FILE':
|
|
|
ac7d03 |
certfile, keyfile = certpath
|
|
|
ac7d03 |
@@ -367,6 +369,10 @@ def request_cert(
|
|
|
ac7d03 |
post_command = certmonger_cmd_template % (post_command)
|
|
|
ac7d03 |
request_parameters['cert-postsave-command'] = post_command
|
|
|
ac7d03 |
|
|
|
ac7d03 |
+ if perms:
|
|
|
ac7d03 |
+ request_parameters['key-perms'] = perms[0]
|
|
|
ac7d03 |
+ request_parameters['cert-perms'] = perms[1]
|
|
|
ac7d03 |
+
|
|
|
ac7d03 |
result = cm.obj_if.add_request(request_parameters)
|
|
|
ac7d03 |
try:
|
|
|
ac7d03 |
if result[0]:
|
|
|
ac7d03 |
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
index 1692e0b2badb23c18386346a552c83881018cf60..a1053d55ccaae17bef93547c036fb9d08d296f0b 100644
|
|
|
ac7d03 |
--- a/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
+++ b/ipaserver/install/krbinstance.py
|
|
|
ac7d03 |
@@ -432,7 +432,8 @@ class KrbInstance(service.Service):
|
|
|
ac7d03 |
dns=self.fqdn,
|
|
|
ac7d03 |
storage='FILE',
|
|
|
ac7d03 |
profile=KDC_PROFILE,
|
|
|
ac7d03 |
- post_command='renew_kdc_cert')
|
|
|
ac7d03 |
+ post_command='renew_kdc_cert',
|
|
|
ac7d03 |
+ perms=(0o644, 0o600))
|
|
|
ac7d03 |
except dbus.DBusException as e:
|
|
|
ac7d03 |
# if the certificate is already tracked, ignore the error
|
|
|
ac7d03 |
name = e.get_dbus_name()
|
|
|
ac7d03 |
--
|
|
|
ac7d03 |
2.9.4
|
|
|
ac7d03 |
|