ldap: write temp cert files more securely

goauthentik · Jun 9, 2023 · fa4d320 · fa4d320
1 parent a824565
commit fa4d320
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/authentik/sources/ldap/models.py b/authentik/sources/ldap/models.py
@@ -1,6 +1,7 @@
 """authentik LDAP Models"""
 from ssl import CERT_REQUIRED
-from tempfile import NamedTemporaryFile
+from tempfile import NamedTemporaryFile, mkdtemp
+from os import chmod
 from typing import Optional
 
 from django.db import models
@@ -124,12 +125,15 @@ def server(self, **kwargs) -> Server:
             tls_kwargs["ca_certs_data"] = self.peer_certificate.certificate_data
             tls_kwargs["validate"] = CERT_REQUIRED
         if self.client_certificate:
+            temp_dir = mkdtemp(dir='/tmp')
             with NamedTemporaryFile(mode="w", delete=False) as temp_cert:
                 temp_cert.write(self.client_certificate.certificate_data)
                 certificate_file = temp_cert.name
+                chmod(certificate_file, 0o600)
             with NamedTemporaryFile(mode="w", delete=False) as temp_key:
                 temp_key.write(self.client_certificate.key_data)
                 private_key_file = temp_key.name
+                chmod(private_key_file, 0o600)
             tls_kwargs["local_private_key_file"] = private_key_file
             tls_kwargs["local_certificate_file"] = certificate_file
         if ciphers := CONFIG.y("ldap.tls.ciphers", None):