Description of problem: custodia.conf and server.keys file is world-readable. Version-Release number of selected component (if applicable): ipa-server-4.4.0-1.el7.x86_64 How reproducible: Always Steps to Reproduce: 1. Install ipa-server. 2. Navigate to /etc/ipa/custodia/ directory 3. Check the permission for custodia.conf and server.keys file. Actual results: /etc/ipa/custodia [root@server custodia]# ls -l total 8 -rw-r--r--. 1 root root 636 Jul 8 12:51 custodia.conf -rw-r--r--. 1 root root 3353 Jul 8 12:51 server.keys Expected results: Config files and keys should not be world-readable unless required. Additional info:
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug. The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too.
It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission. I'm still going to change the permission of the server.keys with the next release.
PS: The directory belongs to ipa-server-common: %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
(In reply to Christian Heimes from comment #5) > It turned out that the issue isn't a security issue. Okay then, thanks for info! So do we still need to have this private?
As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights).
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6056
Upstream ticket: https://fedorahosted.org/freeipa/ticket/6015
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0 ipa-4-3: https://fedorahosted.org/freeipa/changeset/fc3b695b5969992d63fad12cdf9607b8e8a20aff
master: * c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP
Fix is seen. Verified on RHEL7.3 using ipa-server-4.4.0-11.el7.x86_64 server.keys files is no more world-readable. [root@master ipa]# ls -l | grep custodia drwx------. 2 root root 46 Sep 13 13:25 custodia /etc/ipa/custodia [root@master custodia]# ls -l total 8 -rw-r--r--. 1 root root 636 Sep 14 16:03 custodia.conf -rw-------. 1 root root 3353 Sep 14 16:03 server.keys
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2404.html