Skip to content

Commit

Permalink
pki: make certificates only readable to group and others
Browse files Browse the repository at this point in the history 
even though we copy these to hosts it's not a good idea to allow them to
be overwritten by a random user. Openssl database files are also always
recreated, umask should take care of all of that.
  • Loading branch information
@michalskrivanek
michalskrivanek committed Jul 26, 2022
1 parent ba21266 commit 1df9674
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions packaging/bin/pki-enroll-openssh-cert.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@ sign() {
}
trap cleanup 0
cat "${PKIDIR}/private/ca.pem" > "${TMPCA}"
umask 0022
ssh-keygen \
-s "${TMPCA}" \
-P "" \
Expand Down
1 change: 1 addition & 0 deletions packaging/bin/pki-enroll-request.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ sign() {
[ -e "${CERT_CONF}" ] || die "${CERT_CONF} is missing, Cannot sign certificate"
EXTRA_COMMAND="-extfile ${CERT_CONF} -extensions ${extsection}"
fi
umask 0022
OVIRT_KU="${ovirt_ku}" OVIRT_EKU="${ovirt_eku}" OVIRT_SAN="${ovirt_san}" \
openssl ca \
-batch \
Expand Down

0 comments on commit 1df9674

Please sign in to comment.