Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

acme module's group parameter is non-functional #48627

Closed
nbraud opened this issue Jul 17, 2018 · 2 comments
Closed

acme module's group parameter is non-functional #48627

nbraud opened this issue Jul 17, 2018 · 2 comments
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around State-Module
Milestone
Approved

Comments

@nbraud
Copy link
Contributor

nbraud commented Jul 17, 2018

Description of Issue/Question

acme.cert enforces that the private key file is mode 0600, so setting the group ownership using the group option does not actually result in another group being able to read the private key.

Please change the permission to 0640, which is the only sensible default, given that there is a group parameter which defaults to root. Perhaps consider making it configurable.

Setup

somegroup:
  group.present

some.example.com:
  acme.cert:
    - email: webmaster@example.com
    - group: somegroup

Steps to Reproduce Issue

  1. Apply that state to a minion.
  2. After a successful highstate, confirm that group somegroup cannot read the private key file.

Versions Report

2018.3.2, but looking at the code suggests that it's still present in develop.

$ salt --versions-report
Salt Version:
           Salt: 2018.3.2
 
Dependency Versions:
           cffi: 1.10.0
       cherrypy: 3.2.2
       dateutil: 2.1
      docker-py: Not Installed
          gitdb: Not Installed
      gitpython: Not Installed
          ioflo: Not Installed
         Jinja2: 2.7.2
        libgit2: Not Installed
        libnacl: Not Installed
       M2Crypto: Not Installed
           Mako: Not Installed
   msgpack-pure: Not Installed
 msgpack-python: 0.4.6
   mysql-python: Not Installed
      pycparser: 2.18
       pycrypto: 2.6.1
   pycryptodome: Not Installed
         pygit2: Not Installed
         Python: 2.7.14 (default, May  2 2018, 18:31:34)
   python-gnupg: Not Installed
         PyYAML: 3.10
          PyZMQ: 14.5.0
           RAET: Not Installed
          smmap: Not Installed
        timelib: Not Installed
        Tornado: 4.2.1
            ZMQ: 4.0.5
 
System Versions:
           dist:   
         locale: UTF-8
        machine: x86_64
        release: 4.14.51-60.38.amzn1.x86_64
         system: Linux
        version: Not Installed
@AstraLuma
Copy link
Contributor

Specifically https://github.com/saltstack/salt/blob/v2018.3.2/salt/modules/acme.py#L183 where the mode is hard-coded.

@nbraud nbraud mentioned this issue Jul 17, 2018
Merged
3 tasks
@Ch3LL
Copy link
Contributor

Ch3LL commented Jul 18, 2018

Thanks for the PR! As it looks like your PR does indeed fix the issue I will close this issue and keep the conversation in the PR but let me know if this needs to be re-opened.

@Ch3LL Ch3LL closed this as completed Jul 18, 2018
@Ch3LL Ch3LL added Bug broken, incorrect, or confusing behavior State-Module severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around P3 Priority 3 labels Jul 18, 2018
@Ch3LL Ch3LL added this to the Approved milestone Jul 18, 2018
cro pushed a commit to cro/salt that referenced this issue Jul 26, 2018
@nbraud @cro
modules/acme: Set the private key filemode to 0640
e494682 
Closes saltstack#48627
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug broken, incorrect, or confusing behavior P3 Priority 3 severity-medium 3rd level, incorrect or bad functionality, confusing and lacks a work around State-Module
Projects
None yet
Milestone
Approved
Development

No branches or pull requests
3 participants
@AstraLuma @nbraud @Ch3LL