Description of problem: # ls -l /etc/candlepin/certs/ total 8 -rw-r--r--. 1 root katello 1834 Aug 28 04:44 candlepin-ca.crt -rw-r-----. 1 root katello 1679 Aug 28 04:44 candlepin-ca.key lrwxrwxrwx. 1 root katello 37 Aug 28 04:44 candlepin-upstream-ca.crt -> /etc/candlepin/certs/candlepin-ca.cr Apache belongs to group katello, katello group can read candlepin-ca.key. Therefore user apache can read private key of candlepin. This can be exploited if attacker exploit apache. I believe that we do not need apache to have access to this private key. Version-Release number of selected component (if applicable): katello-1.1.7-1.git.31.8662665.el6.noarch I expect that chown root:root /etc/candlepin/certs/candlepin-ca.key would solve this situation.
We use the cert+key in our apache conf for the default setup: grep candlepin /etc/httpd/conf.d/katello.conf SSLCertificateFile /etc/candlepin/certs/candlepin-ca.crt SSLCertificateKeyFile /etc/candlepin/certs/candlepin-ca.key SSLCaCertificateFile /etc/candlepin/certs/candlepin-ca.crt perhaps there is a better way to set this up so we don't have todo this
I wonder there is no other way. We need to use candlepin CA.
I think we can close this: [root@sat6 certs]# find / -name candlepin-ca.key <EMPTY> [root@sat6 certs]# pwd /etc/pki/katello/certs [root@sat6 certs]# ls -lah total 44K drwxr-xr-x. 2 root foreman 4.0K Aug 8 14:12 . drwxr-xr-x. 5 root foreman 4.0K Aug 8 14:13 .. -rw-r--r--. 1 root root 5.4K Aug 8 14:12 java-client.crt -rw-r--r--. 1 root root 5.4K Aug 8 14:03 katello-apache.crt -rw-r--r--. 1 root foreman 5.3K Aug 8 14:03 katello-ca.crt -rw-r--r--. 1 root root 1.8K Aug 8 14:03 katello-ca-stripped.crt -rw-r--r--. 1 root root 5.4K Aug 8 14:12 sat6.rdu.redhat.com-qpid-broker.crt
Yes. [root@nightly ~]# id foreman uid=497(foreman) gid=498(foreman) groups=498(foreman),52(puppet) [root@nightly ~]# id apache uid=48(apache) gid=48(apache) groups=48(apache)