Bug 1353936
| Summary: | custodia.conf and server.keys file is world-readable. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Sudhir Menon <sumenon> |
| Component: | ipa | Assignee: | Christian Heimes <cheimes> |
| Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 7.3 | CC: | cheimes, jcholast, jhrozek, mbasti, mkolaja, pvoborni, rcritten, security-response-team, ssorce |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.4.0-9.el7 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-11-04 05:56:53 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Sudhir Menon
2016-07-08 12:59:34 UTC
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug. The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too. It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission. I'm still going to change the permission of the server.keys with the next release. PS: The directory belongs to ipa-server-common:
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
(In reply to Christian Heimes from comment #5) > It turned out that the issue isn't a security issue. Okay then, thanks for info! So do we still need to have this private? As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights). Upstream ticket: https://fedorahosted.org/freeipa/ticket/6056 Upstream ticket: https://fedorahosted.org/freeipa/ticket/6015 Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0 ipa-4-3: https://fedorahosted.org/freeipa/changeset/fc3b695b5969992d63fad12cdf9607b8e8a20aff master: * c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP Fix is seen. Verified on RHEL7.3 using ipa-server-4.4.0-11.el7.x86_64 server.keys files is no more world-readable. [root@master ipa]# ls -l | grep custodia drwx------. 2 root root 46 Sep 13 13:25 custodia /etc/ipa/custodia [root@master custodia]# ls -l total 8 -rw-r--r--. 1 root root 636 Sep 14 16:03 custodia.conf -rw-------. 1 root root 3353 Sep 14 16:03 server.keys Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html |