Bug 1325693

Summary: /etc/pki/pulp/rsa.key is installed world readable
Product: [Fedora] Fedora Reporter: Randy Barlow <rbarlow>
Component: pulpAssignee: Randy Barlow <rbarlow>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 24CC: anemec, jeremy, rbarlow, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pulp-2.8.2-2.fc24, pulp-2.8.2-2.fc25 pulp-2.8.3-1.fc24 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-24 18:06:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Randy Barlow 2016-04-10 17:40:16 UTC 
This is a bug with the Fedora spec file that is not present upstream. The spec file generates an RSA keypair that is used to sign messages sent to consumers that are managed by Pulp. The spec file in Fedora 24 and Rawhide installs this key world-readable.

Fixing the install won't be difficult, but fixing existing installations may be trickier. I am considering adding an instruction in %post that removes read permissions. If we took this path, we'd probably need to maintain it until Fedora 27. No "stable" versions of Fedora have ever shipped with this flaw since Pulp is new in Fedora 24 which is currently in Alpha stage. Even so, I'd be reluctant to ignore existing installations. If anyone has a suggestion of a best practice for ensuring this file has proper permissions I'd love to hear it.
Comment 1 Randy Barlow 2016-05-14 22:57:33 UTC 
https://bodhi.fedoraproject.org/updates/FEDORA-2016-2edbd5ea64
Comment 2 Fedora Update System 2016-05-18 21:46:33 UTC 
pulp-2.8.3-1.fc24 pulp-puppet-2.8.3-1.fc24 pulp-rpm-2.8.3-1.fc24 pulp-ostree-1.1.1-1.fc24 pulp-docker-2.0.1-1.fc24 pulp-python-1.1.1-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f9db2293a8
Comment 3 Fedora Update System 2016-05-21 01:33:58 UTC 
pulp-2.8.3-1.fc24, pulp-docker-2.0.1-1.fc24, pulp-ostree-1.1.1-1.fc24, pulp-puppet-2.8.3-2.fc24, pulp-python-1.1.1-1.fc24, pulp-rpm-2.8.3-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-f9db2293a8
Comment 4 Fedora Update System 2016-05-24 18:06:13 UTC 
pulp-2.8.3-1.fc24, pulp-docker-2.0.1-1.fc24, pulp-ostree-1.1.1-1.fc24, pulp-puppet-2.8.3-2.fc24, pulp-python-1.1.1-1.fc24, pulp-rpm-2.8.3-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.