subject:"\[Freeipa\-devel\] \[PATCH 0034\] Secure permissions of Custodia server.keys"

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

2016-08-24 Thread Christian Heimes

On 2016-08-23 12:49, Petr Vobornik wrote:
> On 08/09/2016 01:53 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:09, Christian Heimes wrote:
>>> I have split up patch 0032 into two smaller patches. This patch only
>>> addresses the server.keys file.
>>>
>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>> and signing Custodia messages. The file was created with permission 644
>>> and is only secured by permission 700 of the directory
>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>> has 600.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>> https://fedorahosted.org/freeipa/ticket/6056
>>>
>>>
>> Pylint is running, please wait ...
>> * Module ipapython.secrets.kem
>> ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] 
>> Undefined variable 'os')
>> ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] 
>> Undefined variable 'os')
>> * Module ipaserver.install.custodiainstance
>> ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), 
>> CustodiaInstance.upgrade_instance] Undefined variable 'stat')
>>
>>
>>
> 
> this review looks stuck

Thanks, I didn't notice that it was stuck. I have pushed it to github
and made a PR:

https://github.com/freeipa/freeipa/pull/15




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

2016-08-23 Thread Petr Vobornik

On 08/09/2016 01:53 PM, Martin Basti wrote:
> 
> 
> On 08.08.2016 16:09, Christian Heimes wrote:
>> I have split up patch 0032 into two smaller patches. This patch only
>> addresses the server.keys file.
>>
>> Custodia's server.keys file contain the private RSA keys for encrypting
>> and signing Custodia messages. The file was created with permission 644
>> and is only secured by permission 700 of the directory
>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>> has 600.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>> https://fedorahosted.org/freeipa/ticket/6056
>>
>>
> Pylint is running, please wait ...
> * Module ipapython.secrets.kem
> ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] 
> Undefined variable 'os')
> ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] 
> Undefined variable 'os')
> * Module ipaserver.install.custodiainstance
> ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), 
> CustodiaInstance.upgrade_instance] Undefined variable 'stat')
> 
> 
> 

this review looks stuck
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

2016-08-09 Thread Martin Basti




On 08.08.2016 16:09, Christian Heimes wrote:

I have split up patch 0032 into two smaller patches. This patch only
addresses the server.keys file.

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056



Pylint is running, please wait ...
* Module ipapython.secrets.kem
ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] 
Undefined variable 'os')
ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] 
Undefined variable 'os')

* Module ipaserver.install.custodiainstance
ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), 
CustodiaInstance.upgrade_instance] Undefined variable 'stat')


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

2016-08-08 Thread Christian Heimes

I have split up patch 0032 into two smaller patches. This patch only
addresses the server.keys file.

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
From 29cdaa5e27e7b8b3690d222c43eb0edfefdd82ba Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Mon, 8 Aug 2016 15:05:52 +0200
Subject: [PATCH] Secure permissions of Custodia server.keys

Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056
---
 ipapython/secrets/kem.py  | 4 +++-
 ipaserver/install/custodiainstance.py | 4 
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py
index d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d..9c69adee2d30c246194ac1b05b644f07d365e5af 100644
--- a/ipapython/secrets/kem.py
+++ b/ipapython/secrets/kem.py
@@ -143,7 +143,9 @@ class KEMLdap(iSecLdap):
 def newServerKeys(path, keyid):
 skey = JWK(generate='RSA', use='sig', kid=keyid)
 ekey = JWK(generate='RSA', use='enc', kid=keyid)
-with open(path, 'w+') as f:
+with open(path, 'w') as f:
+os.fchmod(f.fileno(), 0o600)
+os.fchown(f.fileno(), 0, 0)
 f.write('[%s,%s]' % (skey.export(), ekey.export()))
 return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')]
 
diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index fd30430bbf9c39e7153986999199474cfca60d09..b2b32a26615539b62de7503b12cd3fb5f3684344 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -73,6 +73,10 @@ class CustodiaInstance(SimpleServiceInstance):
 if not sysupgrade.get_upgrade_state("custodia", "installed"):
 root_logger.info("Custodia service is being configured")
 self.create_instance()
+mode = os.stat(self.server_keys).st_mode
+if stat.S_IMODE(mode) != 0o600:
+root_logger.info("Secure server.keys mode")
+os.chmod(self.server_keys, 0o600)
 
 def create_replica(self, master_host_name):
 suffix = ipautil.realm_to_suffix(self.realm)
-- 
2.7.4



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

[Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

4 matches

Site Navigation

Mail list logo

Footer information