RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1353936 - custodia.conf and server.keys file is world-readable.
Summary: custodia.conf and server.keys file is world-readable.
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Kaleem
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-08 12:59 UTC by Sudhir Menon
Modified: 2016-11-08 15:57 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 05:56:53 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 0 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-08 12:59:34 UTC 
Description of problem: custodia.conf and server.keys file is world-readable.


Version-Release number of selected component (if applicable):
ipa-server-4.4.0-1.el7.x86_64

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server.
2. Navigate to /etc/ipa/custodia/ directory
3. Check the permission for custodia.conf and server.keys file.

Actual results:
/etc/ipa/custodia
[root@server custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Jul  8 12:51 custodia.conf
-rw-r--r--. 1 root root 3353 Jul  8 12:51 server.keys

Expected results:
Config files and keys should not be world-readable unless required.

Additional info:
Comment 3 Christian Heimes 2016-07-08 18:37:23 UTC 
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug.

The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too.
Comment 5 Christian Heimes 2016-07-11 08:16:22 UTC 
It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission.

I'm still going to change the permission of the server.keys with the next release.
Comment 6 Christian Heimes 2016-07-11 08:34:42 UTC 
PS: The directory belongs to ipa-server-common:

%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
Comment 7 Adam Mariš 2016-07-11 09:52:23 UTC 
(In reply to Christian Heimes from comment #5)
> It turned out that the issue isn't a security issue. 

Okay then, thanks for info! So do we still need to have this private?
Comment 8 Petr Vobornik 2016-07-12 14:37:30 UTC 
As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights).
Comment 9 Petr Vobornik 2016-07-12 14:40:37 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6056
Comment 10 Petr Vobornik 2016-07-12 14:42:20 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6015
Comment 11 Martin Bašti 2016-08-24 15:03:42 UTC 
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0
ipa-4-3:
https://fedorahosted.org/freeipa/changeset/fc3b695b5969992d63fad12cdf9607b8e8a20aff
Comment 12 Martin Bašti 2016-08-24 15:04:18 UTC 
master:
* c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP
Comment 15 Sudhir Menon 2016-09-14 12:45:07 UTC 
Fix is seen. Verified on RHEL7.3 using 
ipa-server-4.4.0-11.el7.x86_64

server.keys files is no more world-readable.

[root@master ipa]# ls -l | grep custodia
drwx------. 2 root root   46 Sep 13 13:25 custodia

/etc/ipa/custodia
[root@master custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Sep 14 16:03 custodia.conf
-rw-------. 1 root root 3353 Sep 14 16:03 server.keys
Comment 17 errata-xmlrpc 2016-11-04 05:56:53 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2404.html
Note You need to log in before you can comment on or make changes to this bug.