Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys
On 2016-08-23 12:49, Petr Vobornik wrote: > On 08/09/2016 01:53 PM, Martin Basti wrote: >> >> >> On 08.08.2016 16:09, Christian Heimes wrote: >>> I have split up patch 0032 into two smaller patches. This patch only >>> addresses the server.keys file. >>> >>> Custodia's server.keys file contain the private RSA keys for encrypting >>> and signing Custodia messages. The file was created with permission 644 >>> and is only secured by permission 700 of the directory >>> /etc/ipa/custodia. The installer and upgrader ensure that the file >>> has 600. >>> >>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936 >>> https://fedorahosted.org/freeipa/ticket/6056 >>> >>> >> Pylint is running, please wait ... >> * Module ipapython.secrets.kem >> ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] >> Undefined variable 'os') >> ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] >> Undefined variable 'os') >> * Module ipaserver.install.custodiainstance >> ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), >> CustodiaInstance.upgrade_instance] Undefined variable 'stat') >> >> >> > > this review looks stuck Thanks, I didn't notice that it was stuck. I have pushed it to github and made a PR: https://github.com/freeipa/freeipa/pull/15 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys
On 08/09/2016 01:53 PM, Martin Basti wrote: > > > On 08.08.2016 16:09, Christian Heimes wrote: >> I have split up patch 0032 into two smaller patches. This patch only >> addresses the server.keys file. >> >> Custodia's server.keys file contain the private RSA keys for encrypting >> and signing Custodia messages. The file was created with permission 644 >> and is only secured by permission 700 of the directory >> /etc/ipa/custodia. The installer and upgrader ensure that the file >> has 600. >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1353936 >> https://fedorahosted.org/freeipa/ticket/6056 >> >> > Pylint is running, please wait ... > * Module ipapython.secrets.kem > ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] > Undefined variable 'os') > ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] > Undefined variable 'os') > * Module ipaserver.install.custodiainstance > ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), > CustodiaInstance.upgrade_instance] Undefined variable 'stat') > > > this review looks stuck -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys
On 08.08.2016 16:09, Christian Heimes wrote: I have split up patch 0032 into two smaller patches. This patch only addresses the server.keys file. Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6056 Pylint is running, please wait ... * Module ipapython.secrets.kem ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] Undefined variable 'os') ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] Undefined variable 'os') * Module ipaserver.install.custodiainstance ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), CustodiaInstance.upgrade_instance] Undefined variable 'stat') -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys
I have split up patch 0032 into two smaller patches. This patch only addresses the server.keys file. Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6056 From 29cdaa5e27e7b8b3690d222c43eb0edfefdd82ba Mon Sep 17 00:00:00 2001 From: Christian HeimesDate: Mon, 8 Aug 2016 15:05:52 +0200 Subject: [PATCH] Secure permissions of Custodia server.keys Custodia's server.keys file contain the private RSA keys for encrypting and signing Custodia messages. The file was created with permission 644 and is only secured by permission 700 of the directory /etc/ipa/custodia. The installer and upgrader ensure that the file has 600. https://bugzilla.redhat.com/show_bug.cgi?id=1353936 https://fedorahosted.org/freeipa/ticket/6056 --- ipapython/secrets/kem.py | 4 +++- ipaserver/install/custodiainstance.py | 4 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ipapython/secrets/kem.py b/ipapython/secrets/kem.py index d45efe8cc4fb63ae9d8c0b2c920fd1f9e5331a9d..9c69adee2d30c246194ac1b05b644f07d365e5af 100644 --- a/ipapython/secrets/kem.py +++ b/ipapython/secrets/kem.py @@ -143,7 +143,9 @@ class KEMLdap(iSecLdap): def newServerKeys(path, keyid): skey = JWK(generate='RSA', use='sig', kid=keyid) ekey = JWK(generate='RSA', use='enc', kid=keyid) -with open(path, 'w+') as f: +with open(path, 'w') as f: +os.fchmod(f.fileno(), 0o600) +os.fchown(f.fileno(), 0, 0) f.write('[%s,%s]' % (skey.export(), ekey.export())) return [skey.get_op_key('verify'), ekey.get_op_key('encrypt')] diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py index fd30430bbf9c39e7153986999199474cfca60d09..b2b32a26615539b62de7503b12cd3fb5f3684344 100644 --- a/ipaserver/install/custodiainstance.py +++ b/ipaserver/install/custodiainstance.py @@ -73,6 +73,10 @@ class CustodiaInstance(SimpleServiceInstance): if not sysupgrade.get_upgrade_state("custodia", "installed"): root_logger.info("Custodia service is being configured") self.create_instance() +mode = os.stat(self.server_keys).st_mode +if stat.S_IMODE(mode) != 0o600: +root_logger.info("Secure server.keys mode") +os.chmod(self.server_keys, 0o600) def create_replica(self, master_host_name): suffix = ipautil.realm_to_suffix(self.realm) -- 2.7.4 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code