Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1353936 - custodia.conf and server.keys file is world-readable.
Summary: custodia.conf and server.keys file is world-readable.
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.3
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Christian Heimes
QA Contact: Kaleem
Depends On:
TreeView+ depends on / blocked
Reported: 2016-07-08 12:59 UTC by Sudhir Menon
Modified: 2016-11-08 15:57 UTC (History)
9 users (show)

Fixed In Version: ipa-4.4.0-9.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2016-11-04 05:56:53 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2404 normal SHIPPED_LIVE ipa bug fix and enhancement update 2016-11-03 13:56:18 UTC

Description Sudhir Menon 2016-07-08 12:59:34 UTC
Description of problem: custodia.conf and server.keys file is world-readable.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. Install ipa-server.
2. Navigate to /etc/ipa/custodia/ directory
3. Check the permission for custodia.conf and server.keys file.

Actual results:
[root@server custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Jul  8 12:51 custodia.conf
-rw-r--r--. 1 root root 3353 Jul  8 12:51 server.keys

Expected results:
Config files and keys should not be world-readable unless required.

Additional info:

Comment 3 Christian Heimes 2016-07-08 18:37:23 UTC
Only FreeIPA 4.3.0 and newer are affected. RHEL 7.2 has 4.2.0 without Custodia. Fedora 24 is affected by the flaw. I have contacted SecAlert and Fabio has embargoed the bug.

The attached patch just chmods the file. I feel like it is not enough. I'm going to work on a new patch that will re-generate the keys and update the keys in LDAP, too.

Comment 5 Christian Heimes 2016-07-11 08:16:22 UTC
It turned out that the issue isn't a security issue. The directory /etc/ipa/custodia has permission 755 and owner root:root. Nobody except root is allowed to enter the directory which means that nobody except root is allowed to read the private keys of Custodia. I only looked at the file permission and not the directory permission.

I'm still going to change the permission of the server.keys with the next release.

Comment 6 Christian Heimes 2016-07-11 08:34:42 UTC
PS: The directory belongs to ipa-server-common:

%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia

Comment 7 Adam Mariš 2016-07-11 09:52:23 UTC
(In reply to Christian Heimes from comment #5)
> It turned out that the issue isn't a security issue. 

Okay then, thanks for info! So do we still need to have this private?

Comment 8 Petr Vobornik 2016-07-12 14:37:30 UTC
As per triage on Jul 12 we no longer need to keep this bug private as it is not a security issue and also Debian is not affected(has correct dir rights).

Comment 9 Petr Vobornik 2016-07-12 14:40:37 UTC
Upstream ticket:

Comment 10 Petr Vobornik 2016-07-12 14:42:20 UTC
Upstream ticket:

Comment 12 Martin Bašti 2016-08-24 15:04:18 UTC
* c346a2d1d19dea645d5afbc9578e7d6049d36275 Remove Custodia server keys from LDAP

Comment 15 Sudhir Menon 2016-09-14 12:45:07 UTC
Fix is seen. Verified on RHEL7.3 using 

server.keys files is no more world-readable.

[root@master ipa]# ls -l | grep custodia
drwx------. 2 root root   46 Sep 13 13:25 custodia

[root@master custodia]# ls -l
total 8
-rw-r--r--. 1 root root  636 Sep 14 16:03 custodia.conf
-rw-------. 1 root root 3353 Sep 14 16:03 server.keys

Comment 17 errata-xmlrpc 2016-11-04 05:56:53 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

Note You need to log in before you can comment on or make changes to this bug.