Bug 1353936 - custodia.conf and server.keys file is world-readable.
Summary: custodia.conf and server.keys file is world-readable.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-08 12:59 UTC by Sudhir Menon
Modified: 2016-11-08 15:57 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:56:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-08 12:59:34 UTC
Description of problem: custodia.conf and server.keys file is world-readable.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server.
2. Navigate to /etc/ipa/custodia/ directory
3. Check the permission for custodia.conf and server.keys file.

Actual results:
[root@server custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Jul  8 12:51 custodia.conf
-rw-r--r--. 1 root root 3353 Jul  8 12:51 server.keys

Expected results:
Config files and keys should not be world-readable unless required.

Additional info:

Comment 3 Christian Heimes 2016-07-08 18:37:23 UTC
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug.

The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too.

Comment 5 Christian Heimes 2016-07-11 08:16:22 UTC
It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission.

I'm still going to change the permission of the server.keys with the next release.

Comment 6 Christian Heimes 2016-07-11 08:34:42 UTC
PS: The directory belongs to ipa-server-common:

%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia

Comment 7 Adam Mariš 2016-07-11 09:52:23 UTC
(In reply to Christian Heimes from comment #5)
> It turned out that the issue isn't a security issue. 

Okay then, thanks for info! So do we still need to have this private?

Comment 8 Petr Vobornik 2016-07-12 14:37:30 UTC
As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights).

Comment 9 Petr Vobornik 2016-07-12 14:40:37 UTC
Upstream ticket:

Comment 10 Petr Vobornik 2016-07-12 14:42:20 UTC
Upstream ticket:

Comment 12 Martin Bašti 2016-08-24 15:04:18 UTC
* c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP

Comment 15 Sudhir Menon 2016-09-14 12:45:07 UTC
Fix is seen. Verified on RHEL7.3 using 

server.keys files is no more world-readable.

[root@master ipa]# ls -l | grep custodia
drwx------. 2 root root   46 Sep 13 13:25 custodia

[root@master custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Sep 14 16:03 custodia.conf
-rw-------. 1 root root 3353 Sep 14 16:03 server.keys

Comment 17 errata-xmlrpc 2016-11-04 05:56:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.