Fix permissions of default key files in raddb/certs

2017-03-15 10:44:24 +02:00 · 2017-03-15 10:44:24 +02:00 · 6d52794724
commit 6d52794724
parent 611a967618
2 changed files with 74 additions and 1 deletions
--- a/freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch
+++ b/freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch
@ -0,0 +1,68 @@
+From 5a83dc7697eb354b2a75ed36c6a39446cf020b87 Mon Sep 17 00:00:00 2001
+From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
+Date: Tue, 14 Mar 2017 14:55:57 +0200
+Subject: [PATCH] Relax OpenSSL permissions for default key files
+
+Recent versions of OpenSSL appear to create keys with owner-only
+permissions. Allow owning group to read the created default key files
+in raddb/certs, so that they stay the same as with older OpenSSL, and
+that the server can read its key.
+
+(cherry picked from commit 29add135c8d1f1f7ccc6ab6ca25af87b48575a5b)
+---
+ raddb/certs/Makefile | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
+index 8141ae2b2..ef243c9b3 100644
+--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
+@@ -62,6 +62,7 @@ ca.key ca.pem: ca.cnf
+ 	@[ -f serial ] || $(MAKE) serial
+ 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
+ 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
+	chmod g+r ca.key
+ 
+ ca.der: ca.pem
+ 	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+@@ -73,15 +74,18 @@ ca.der: ca.pem
+ ######################################################################
+ server.csr server.key: server.cnf
+ 	$(OPENSSL) req -new  -out server.csr -keyout server.key -config ./server.cnf
+	chmod g+r server.key
+ 
+ server.crt: server.csr ca.key ca.pem
+ 	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
+ 
+ server.p12: server.crt
+ 	$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+	chmod g+r server.p12
+ 
+ server.pem: server.p12
+ 	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+	chmod g+r server.pem
+ 
+ .PHONY: server.vrfy
+ server.vrfy: ca.pem
+@@ -95,15 +99,18 @@ server.vrfy: ca.pem
+ ######################################################################
+ client.csr client.key: client.cnf
+ 	$(OPENSSL) req -new  -out client.csr -keyout client.key -config ./client.cnf
+	chmod g+r client.key
+ 
+ client.crt: client.csr ca.pem ca.key
+ 	$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
+ 
+ client.p12: client.crt
+ 	$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12  -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	chmod g+r client.p12
+ 
+ client.pem: client.p12
+ 	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+	chmod g+r client.pem
+ 	cp client.pem $(USER_NAME).pem
+ 
+ .PHONY: client.vrfy
+-- 
+2.11.0
+
--- a/freeradius.spec
+++ b/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.13
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 Group: System Environment/Daemons
 URL: http://www.freeradius.org/
@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf

 Patch1: freeradius-redhat-config.patch
 Patch2: freeradius-Use-system-crypto-policy-by-default.patch
+Patch3: freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch

 %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}

@ -190,6 +191,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
 # mistakenly includes the backup files, especially problematic for raddb config files.
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 %build
 # Force compile/link options, extra security for network facing daemon
@ -791,6 +793,9 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Wed Mar 15 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-2
+- Fix permissions of default key files in raddb/certs.
+
 * Tue Mar 07 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-1
 - Upgrade to upstream v3.0.13 release.
  See upstream ChangeLog for details (in freeradius-doc subpackage).