pki: make certificates only readable to group and others

even though we copy these to hosts it's not a good idea to allow them to be overwritten by a random user. Openssl database files are also always recreated, umask should take care of all of that. Ansible does not use default umask from OS so we need to explicitly set it. We can use login shell to figure out the effective command-line umask value.
oVirt · Jul 27, 2022 · 492c68f · 492c68f
1 parent fa581d2
commit 492c68f
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/packaging/bin/pki-enroll-openssh-cert.sh b/packaging/bin/pki-enroll-openssh-cert.sh
@@ -32,6 +32,7 @@ sign() {
 		}
 		trap cleanup 0
 		cat "${PKIDIR}/private/ca.pem" > "${TMPCA}"
+        umask "$(/bin/sh -l -c umask)"
 		ssh-keygen \
 			-s "${TMPCA}" \
 			-P "" \

diff --git a/packaging/bin/pki-enroll-request.sh b/packaging/bin/pki-enroll-request.sh
@@ -22,6 +22,7 @@ sign() {
 		[ -e "${CERT_CONF}" ] || die "${CERT_CONF} is missing, Cannot sign certificate"
 		EXTRA_COMMAND="-extfile ${CERT_CONF} -extensions ${extsection}"
 	fi
+    umask "$(/bin/sh -l -c umask)"
 	OVIRT_KU="${ovirt_ku}" OVIRT_EKU="${ovirt_eku}" OVIRT_SAN="${ovirt_san}" \
 		openssl ca \
 		-batch \