Fix permissions of default key files in raddb/certs
This commit is contained in:
parent
611a967618
commit
6d52794724
@ -0,0 +1,68 @@
|
||||
From 5a83dc7697eb354b2a75ed36c6a39446cf020b87 Mon Sep 17 00:00:00 2001
|
||||
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
|
||||
Date: Tue, 14 Mar 2017 14:55:57 +0200
|
||||
Subject: [PATCH] Relax OpenSSL permissions for default key files
|
||||
|
||||
Recent versions of OpenSSL appear to create keys with owner-only
|
||||
permissions. Allow owning group to read the created default key files
|
||||
in raddb/certs, so that they stay the same as with older OpenSSL, and
|
||||
that the server can read its key.
|
||||
|
||||
(cherry picked from commit 29add135c8d1f1f7ccc6ab6ca25af87b48575a5b)
|
||||
---
|
||||
raddb/certs/Makefile | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||
index 8141ae2b2..ef243c9b3 100644
|
||||
--- a/raddb/certs/Makefile
|
||||
+++ b/raddb/certs/Makefile
|
||||
@@ -62,6 +62,7 @@ ca.key ca.pem: ca.cnf
|
||||
@[ -f serial ] || $(MAKE) serial
|
||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
|
||||
+ chmod g+r ca.key
|
||||
|
||||
ca.der: ca.pem
|
||||
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
||||
@@ -73,15 +74,18 @@ ca.der: ca.pem
|
||||
######################################################################
|
||||
server.csr server.key: server.cnf
|
||||
$(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
|
||||
+ chmod g+r server.key
|
||||
|
||||
server.crt: server.csr ca.key ca.pem
|
||||
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
|
||||
|
||||
server.p12: server.crt
|
||||
$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||
+ chmod g+r server.p12
|
||||
|
||||
server.pem: server.p12
|
||||
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||
+ chmod g+r server.pem
|
||||
|
||||
.PHONY: server.vrfy
|
||||
server.vrfy: ca.pem
|
||||
@@ -95,15 +99,18 @@ server.vrfy: ca.pem
|
||||
######################################################################
|
||||
client.csr client.key: client.cnf
|
||||
$(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
|
||||
+ chmod g+r client.key
|
||||
|
||||
client.crt: client.csr ca.pem ca.key
|
||||
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
|
||||
|
||||
client.p12: client.crt
|
||||
$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||
+ chmod g+r client.p12
|
||||
|
||||
client.pem: client.p12
|
||||
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||
+ chmod g+r client.pem
|
||||
cp client.pem $(USER_NAME).pem
|
||||
|
||||
.PHONY: client.vrfy
|
||||
--
|
||||
2.11.0
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: High-performance and highly configurable free RADIUS server
|
||||
Name: freeradius
|
||||
Version: 3.0.13
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+ and LGPLv2+
|
||||
Group: System Environment/Daemons
|
||||
URL: http://www.freeradius.org/
|
||||
@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf
|
||||
|
||||
Patch1: freeradius-redhat-config.patch
|
||||
Patch2: freeradius-Use-system-crypto-policy-by-default.patch
|
||||
Patch3: freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch
|
||||
|
||||
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -190,6 +191,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
|
||||
# mistakenly includes the backup files, especially problematic for raddb config files.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
|
||||
%build
|
||||
# Force compile/link options, extra security for network facing daemon
|
||||
@ -791,6 +793,9 @@ exit 0
|
||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||
|
||||
%changelog
|
||||
* Wed Mar 15 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-2
|
||||
- Fix permissions of default key files in raddb/certs.
|
||||
|
||||
* Tue Mar 07 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-1
|
||||
- Upgrade to upstream v3.0.13 release.
|
||||
See upstream ChangeLog for details (in freeradius-doc subpackage).
|
||||
|
Loading…
Reference in New Issue
Block a user