Bug 1353936 - custodia.conf and server.keys file is world-readable.
Summary: custodia.conf and server.keys file is world-readable.
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Kaleem
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-08 12:59 UTC by Sudhir Menon
Modified: 2016-11-08 15:57 UTC (History)
9 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2016-11-04 05:56:53 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-08 12:59:34 UTC
Description of problem: custodia.conf and server.keys file is world-readable.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server.
2. Navigate to /etc/ipa/custodia/ directory
3. Check the permission for custodia.conf and server.keys file.

Actual results:
/etc/ipa/custodia
[root@server custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Jul  8 12:51 custodia.conf
-rw-r--r--. 1 root root 3353 Jul  8 12:51 server.keys

Expected results:
Config files and keys should not be world-readable unless required.

Additional info:

Comment 3 Christian Heimes 2016-07-08 18:37:23 UTC
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug.

The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too.

Comment 5 Christian Heimes 2016-07-11 08:16:22 UTC
It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission.

I'm still going to change the permission of the server.keys with the next release.

Comment 6 Christian Heimes 2016-07-11 08:34:42 UTC
PS: The directory belongs to ipa-server-common:

%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia

Comment 7 Adam Mariš 2016-07-11 09:52:23 UTC
(In reply to Christian Heimes from comment #5)
> It turned out that the issue isn't a security issue. 

Okay then, thanks for info! So do we still need to have this private?

Comment 8 Petr Vobornik 2016-07-12 14:37:30 UTC
As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights).

Comment 9 Petr Vobornik 2016-07-12 14:40:37 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6056

Comment 10 Petr Vobornik 2016-07-12 14:42:20 UTC
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6015

Comment 12 Martin Bašti 2016-08-24 15:04:18 UTC
master:
* c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP

Comment 15 Sudhir Menon 2016-09-14 12:45:07 UTC
Fix is seen. Verified on RHEL7.3 using 
ipa-server-4.4.0-11.el7.x86_64

server.keys files is no more world-readable.

[root@master ipa]# ls -l | grep custodia
drwx------. 2 root root   46 Sep 13 13:25 custodia

/etc/ipa/custodia
[root@master custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Sep 14 16:03 custodia.conf
-rw-------. 1 root root 3353 Sep 14 16:03 server.keys

Comment 17 errata-xmlrpc 2016-11-04 05:56:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html


Note You need to log in before you can comment on or make changes to this bug.