URL: https://github.com/freeipa/freeipa/pull/804 Author: abbra Title: #804: krb5: make sure KDC certificate is readable Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/804/head:pr804 git checkout pr804
From 1eb6639ad94cfa674bf59b893929fdf902344733 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy <aboko...@redhat.com> Date: Mon, 22 May 2017 22:36:18 +0300 Subject: [PATCH] krb5: make sure KDC certificate is readable When requesting certificate for KDC profile, make sure its public part is actually readable to others. Fixes https://pagure.io/freeipa/issue/6973 --- ipalib/install/certmonger.py | 12 +++++++++--- ipaserver/install/krbinstance.py | 3 ++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py index 5709853ffe..ad031a738f 100644 --- a/ipalib/install/certmonger.py +++ b/ipalib/install/certmonger.py @@ -302,7 +302,7 @@ def add_subject(request_id, subject): def request_and_wait_for_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, - pre_command=None, post_command=None, storage='NSSDB'): + pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. @@ -310,7 +310,7 @@ def request_and_wait_for_cert( """ reqId = request_cert(certpath, subject, principal, nickname, passwd_fname, dns, ca, profile, - pre_command, post_command, storage) + pre_command, post_command, storage, perms) state = wait_for_request(reqId, api.env.startup_timeout) ca_error = get_request_value(reqId, 'ca-error') if state != 'MONITORING' or ca_error: @@ -321,12 +321,14 @@ def request_and_wait_for_cert( def request_cert( certpath, subject, principal, nickname=None, passwd_fname=None, dns=None, ca='IPA', profile=None, - pre_command=None, post_command=None, storage='NSSDB'): + pre_command=None, post_command=None, storage='NSSDB', perms=None): """ Execute certmonger to request a server certificate. ``dns`` A sequence of DNS names to appear in SAN request extension. + ``perms`` + A tuple of (cert, key) permissions in e.g., (0644,0660) """ if storage == 'FILE': certfile, keyfile = certpath @@ -367,6 +369,10 @@ def request_cert( post_command = certmonger_cmd_template % (post_command) request_parameters['cert-postsave-command'] = post_command + if perms: + request_parameters['key-perms'] = perms[0] + request_parameters['cert-perms'] = perms[1] + result = cm.obj_if.add_request(request_parameters) try: if result[0]: diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py index 1692e0b2ba..8f734d5709 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -432,7 +432,8 @@ def _call_certmonger(self, certmonger_ca='IPA'): dns=self.fqdn, storage='FILE', profile=KDC_PROFILE, - post_command='renew_kdc_cert') + post_command='renew_kdc_cert', + perms=(0644, 0600)) except dbus.DBusException as e: # if the certificate is already tracked, ignore the error name = e.get_dbus_name()
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
