Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file
Ferenc Wagner
wferi at niif.hu
Thu Apr 1 11:15:32 UTC 2010
"Scott Cantor" <cantor.2 at osu.edu> writes:
>> Note that we can't just use umask 177 in the Debian version of this script
>> since Debian runs shibd as a non-root user and then won't be able to read
>> the certificate. For Debian, we should set the group ownership to the
>> shibd user we create and make the file group-readable.
>
> If there's a better patch you'd like upstream for this use case, just add it
> to the SP bug report. I'm not shipping it any time soon, so whatever is
> easiest.
Don't you think it's kind of an openssl bug to create the key material
with full permissions? Shouldn't it creat("keyfile", 0600)?
This aside, I'd recommend working around the issue by creating the key
file beforehand with restricted permissions, and not touching umask:
touch sp-key.pem
chmod 600 sp-key.pem
openssl req -config sp-cert.cnf -new -x509 -days $DAYS -keyout sp-key.pem -out sp-cert.pem
Users could then tune ownership and permissions without the risk of
leaking sensitive data during the process. Distributions could add a
couple of lines to the end of the script to read up configuration files
and act accordingly.
https://bugs.internet2.edu/jira/browse/SSPCPP-281 is pretty much
orthogonal to this (and I'm not sure it's worth adding options which
could be simulated by a cd before and a chown after.)
--
Regards,
Feri.
More information about the Pkg-shibboleth-devel
mailing list