Bug 852452 – candlepin-ca.key is readable by apache

Bug 852452 - candlepin-ca.key is readable by apache

Summary:	candlepin-ca.key is readable by apache

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Red Hat Satellite 6
Classification:	Red Hat
Component:	Installer (Show other bugs)
Sub Component:
Version:	6.0.0
Hardware:	Unspecified Unspecified

Priority	unspecified Severity unspecified (vote)
Target Milestone:	Unspecified
Target Release:	--
Assigned To:	Katello Bug Bin
QA Contact:	Katello QA List
Docs Contact:

URL:
Whiteboard:
Keywords:	Triaged

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2012-08-28 10:17 EDT by Miroslav Suchý
Modified:	2014-08-12 03:20 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-08-12 03:20:27 EDT
Type:	Bug
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Miroslav Suchý 2012-08-28 10:17:09 EDT

Description of problem:

# ls -l /etc/candlepin/certs/
total 8
-rw-r--r--. 1 root katello 1834 Aug 28 04:44 candlepin-ca.crt
-rw-r-----. 1 root katello    1679 Aug 28 04:44 candlepin-ca.key
lrwxrwxrwx. 1 root katello   37 Aug 28 04:44 candlepin-upstream-ca.crt -> /etc/candlepin/certs/candlepin-ca.cr

Apache belongs to group katello, katello group can read candlepin-ca.key.
Therefore user apache can read private key of candlepin.
This can be exploited if attacker exploit apache.
I believe that we do not need apache to have access to this private key.

Version-Release number of selected component (if applicable):
katello-1.1.7-1.git.31.8662665.el6.noarch

 
I expect that 
  chown root:root /etc/candlepin/certs/candlepin-ca.key
would solve this situation.

Comment 1 Mike McCune 2012-08-29 11:18:35 EDT

We use the cert+key in our apache conf for the default setup:

 grep candlepin /etc/httpd/conf.d/katello.conf 
  SSLCertificateFile /etc/candlepin/certs/candlepin-ca.crt
  SSLCertificateKeyFile /etc/candlepin/certs/candlepin-ca.key
  SSLCaCertificateFile /etc/candlepin/certs/candlepin-ca.crt

perhaps there is a better way to set this up so we don't have todo this

Comment 2 Lukas Zapletal 2012-08-30 09:53:29 EDT

I wonder there is no other way. We need to use candlepin CA.

Comment 3 Bryan Kearney 2014-08-11 15:24:41 EDT

I think we can close this:

[root@sat6 certs]# find / -name candlepin-ca.key
<EMPTY>

[root@sat6 certs]# pwd
/etc/pki/katello/certs
[root@sat6 certs]# ls -lah
total 44K
drwxr-xr-x. 2 root foreman 4.0K Aug  8 14:12 .
drwxr-xr-x. 5 root foreman 4.0K Aug  8 14:13 ..
-rw-r--r--. 1 root root    5.4K Aug  8 14:12 java-client.crt
-rw-r--r--. 1 root root    5.4K Aug  8 14:03 katello-apache.crt
-rw-r--r--. 1 root foreman 5.3K Aug  8 14:03 katello-ca.crt
-rw-r--r--. 1 root root    1.8K Aug  8 14:03 katello-ca-stripped.crt
-rw-r--r--. 1 root root    5.4K Aug  8 14:12 sat6.rdu.redhat.com-qpid-broker.crt

Comment 4 Lukas Zapletal 2014-08-12 03:20:27 EDT

Yes.

[root@nightly ~]# id foreman
uid=497(foreman) gid=498(foreman) groups=498(foreman),52(puppet)
[root@nightly ~]# id apache
uid=48(apache) gid=48(apache) groups=48(apache)

Note You need to log in before you can comment on or make changes to this bug.