Bug 585030
| Summary: | mod_ssl creates a certificate which is read-only-root | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Bryan Mason <bmason> |
| Component: | httpd | Assignee: | Joe Orton <jorton> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.4 | CC: | tao |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-04-23 08:04:58 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Per previous discussion, configuring any application to read all certs from: /etc/pki/tls/certs/ and treat such certs as trusted CA certs is a misconfiguration. That directory is not intended to by used in that way, nor is it documented to be used that way. The mod_ssl cert and private key are for use only by mod_ssl. |
Description of problem: When mod_ssl generates a test server certificate in %post, the umask is 077, which results in the following file permissions: -rw------- 1 root root 1549 Mar 19 16:12 /etc/pki/tls/certs/localhost.crt Other applications, running as non-root users, can't read the file. This can cause problems with other applications that use OpenSSL to read CA Certs from this directory (the OpenSSL library aborts processing of a directory if one of the certificates in the directory can't be read). Version-Release number of selected component (if applicable): mod_ssl-2.2.3-31.el5 How reproducible: 100% Steps to Reproduce: 1. Install mod_ssl Actual results: File has "-rw------- 1 root root" permissions. Expected results: File should have "-rw-r--r-- 1 root root" permissions, like the rest of the files in /etc/pki/tls/certs. Additional info: The script that creates the certificate is: -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= # rpm -q --scripts mod_ssl postinstall scriptlet (using /bin/sh): umask 077 if [ ! -f /etc/pki/tls/private/localhost.key ] ; then /usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > /etc/pki/tls/private/localhost.key 2> /dev/null fi FQDN=`hostname` if [ "x${FQDN}" = "x" ]; then FQDN=localhost.localdomain fi if [ ! -f /etc/pki/tls/certs/localhost.crt ] ; then cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \ -x509 -days 365 -set_serial $RANDOM \ -out /etc/pki/tls/certs/localhost.crt 2>/dev/null -- SomeState SomeCity SomeOrganization SomeOrganizationalUnit ${FQDN} root@${FQDN} EOF fi -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= It looks like the umask was (correctly) changed to 077 to generate the private key, but then was not changed back to 022 to make the certificate world-readable. It has been mentioned that /etc/pki/tls/certs shouldn't be used to store CA certs. However, storing CA certs in a directory _is_ allowed with the current configuration options, so unless there's a specific reason to keep the mod_ssl certificate read-only-root, I believe that mod_ssl shouldn't generate a certificate that could potentially cause other applications to fail.