New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
pki: make openssl database non-writable for others #558
Conversation
75b3573
to
ee9ab16
Compare
/ost |
2f8b462
to
abcb0c3
Compare
packaging/bin/pki-common.sh.in
Outdated
@@ -31,6 +31,7 @@ common_restore_perms() { | |||
# of these files, so we have to reset | |||
# our defaults | |||
chown --reference="${pkidir}" "${pkidir}"/serial.txt* "${pkidir}"/database.txt* "${pkidir}"/.rnd* > /dev/null 2>&1 | |||
chmod go-wx "${pkidir}"/serial.txt* "${pkidir}"/database.txt* "${pkidir}"/.rnd* || die "Cannot set files permissions" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so with umask this shouldn't actually be needed
6a58b27
to
667b1d1
Compare
How about the other pki-* scripts -- shouldn't the umask be set there too? |
667b1d1
to
1df9674
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AFAICT the ones that are called from engine-setup are all right, it's just ansible that calls it with 000
I see, OK.
this works on DISA STIG enabled system too, but the default umask there is 077 and so the created files are "more open" than before, e.g.: |
@mz-pdm do you think it's worth fixing? |
You can get the current umask by simply running Such a change would require verifying that we set permissions on all the resulting files explicitly (with |
Ah, yes, perhaps not in Ansible? Even on those systems? If so then I would say it's a bug in Ansible. |
I think a better way would be |
0495570
to
492c68f
Compare
@@ -32,6 +32,7 @@ sign() { | |||
} | |||
trap cleanup 0 | |||
cat "${PKIDIR}/private/ca.pem" > "${TMPCA}" | |||
umask "$(/bin/sh -l -c umask)" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If there is no umask set explicitly in shell login scripts (/etc/profile, ...) then the umask is inherited from the calling environment. It shouldn't be a problem in RHEL-based systems though.
72fea37
to
ac94678
Compare
even though we copy these to hosts it's not a good idea to allow them to be overwritten by a random user. Openssl database files are also always recreated, umask should take care of all of that. Ansible does not use default umask from OS so we need to explicitly set it. We can use login shell to figure out the effective command-line umask value.
ac94678
to
c8174a2
Compare
let's keep these files non-writable to any random user
Bug-Url: https://bugzilla.redhat.com/2088446