Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Allow integrated software to read keys #1030

Merged
merged 2 commits into from

2 participants

@teancom

From a comment I put right into the code:

Allow the pki dir to be 700 or 750, but nothing else. 
This prevents other users from writing out keys, while
allowing the use-case of 3rd-party software (like django)
to read in what it needs to integrate. 

If the permissions aren't correct, default to the more secure 700.

This will allow our custom django-based cmdb/virtualization control software to continue working.

I also did a #todo while I was in there - adding logging if we are unable to change the permissions of the pki dir to be safe.

@thatch45 thatch45 merged commit b5b9906 into saltstack:develop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 31, 2012
  1. allow the pki dir to have 750 permissions, add logging if unable to s…

    David Bishop authored
    …et permissions correctly
This page is out of date. Refresh to see the latest.
Showing with 11 additions and 3 deletions.
  1. +11 −3 salt/utils/verify.py
View
14 salt/utils/verify.py
@@ -75,11 +75,19 @@ def verify_env(dirs):
sys.stderr.write('Failed to create directory path "{0}" - {1}\n'.format(dir_, e))
mode = os.stat(dir_)
- # TODO: Should this log if it can't set the permissions
- # to very secure for these PKI cert directories?
- if not stat.S_IMODE(mode.st_mode) == 448:
+ # Allow the pki dir to be 700 or 750, but nothing else.
+ # This prevents other users from writing out keys, while
+ # allowing the use-case of 3rd-party software (like django)
+ # to read in what it needs to integrate.
+ #
+ # If the permissions aren't correct, default to the more secure 700.
+ smode = stat.S_IMODE(mode.st_mode)
+ if not smode == 448 and not smode == 488:
if os.access(dir_, os.W_OK):
os.chmod(dir_, 448)
+ else:
+ msg = 'Unable to securely set the permissions of "{0}".'.format(dir_)
+ log.critical(msg)
# Run the extra verification checks
zmq_version()
Something went wrong with that request. Please try again.