Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 585030 - mod_ssl creates a certificate which is read-only-root
mod_ssl creates a certificate which is read-only-root
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: httpd (Show other bugs)
5.4
All Linux
medium Severity medium
: rc
: ---
Assigned To: Joe Orton
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-04-22 19:11 EDT by Bryan Mason
Modified: 2010-11-09 07:49 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-04-23 04:04:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Bryan Mason 2010-04-22 19:11:16 EDT
Description of problem:

    When mod_ssl generates a test server certificate in %post, the
    umask is 077, which results in the following file permissions:

    -rw------- 1 root root 1549 Mar 19 16:12 /etc/pki/tls/certs/localhost.crt

    Other applications, running as non-root users, can't read the
    file.  This can cause problems with other applications that use
    OpenSSL to read CA Certs from this directory (the OpenSSL library
    aborts processing of a directory if one of the certificates in the
    directory can't be read).
    
Version-Release number of selected component (if applicable):

    mod_ssl-2.2.3-31.el5

How reproducible:

    100%

Steps to Reproduce:
    1. Install mod_ssl
  
Actual results:

    File has "-rw------- 1 root root" permissions.

Expected results:

    File should have "-rw-r--r-- 1 root root" permissions, like
    the rest of the files in /etc/pki/tls/certs.

Additional info:

    The script that creates the certificate is:

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

# rpm -q --scripts mod_ssl
postinstall scriptlet (using /bin/sh):
umask 077
     
if [ ! -f /etc/pki/tls/private/localhost.key ] ; then
/usr/bin/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 1024 > /etc/pki/tls/private/localhost.key 2> /dev/null
fi
     
FQDN=`hostname`
if [ "x${FQDN}" = "x" ]; then
   FQDN=localhost.localdomain
fi
     
if [ ! -f /etc/pki/tls/certs/localhost.crt ] ; then
cat << EOF | /usr/bin/openssl req -new -key /etc/pki/tls/private/localhost.key \
         -x509 -days 365 -set_serial $RANDOM \
         -out /etc/pki/tls/certs/localhost.crt 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
fi

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

    It looks like the umask was (correctly) changed to 077 to generate
    the private key, but then was not changed back to 022 to make the
    certificate world-readable.

    It has been mentioned that /etc/pki/tls/certs shouldn't be used to
    store CA certs.  However, storing CA certs in a directory _is_
    allowed with the current configuration options, so unless there's
    a specific reason to keep the mod_ssl certificate read-only-root,
    I believe that mod_ssl shouldn't generate a certificate that could
    potentially cause other applications to fail.
Comment 1 Joe Orton 2010-04-23 04:04:58 EDT
Per previous discussion, configuring any application to read all certs from:

  /etc/pki/tls/certs/

and treat such certs as trusted CA certs is a misconfiguration.  That directory is not intended to by used in that way, nor is it documented to be used that way.  The mod_ssl cert and private key are for use only by mod_ssl.

Note You need to log in before you can comment on or make changes to this bug.