rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix permissions of default key files in raddb/certs

Browse Source
This commit is contained in:
Nikolai Kondrashov 2017-03-15 10:44:24 +02:00
parent 611a967618
commit 6d52794724
2 changed files with 74 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

68
freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch Normal file
View File

@ -0,0 +1,68 @@
From 5a83dc7697eb354b2a75ed36c6a39446cf020b87 Mon Sep 17 00:00:00 2001
From: Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com>
Date: Tue, 14 Mar 2017 14:55:57 +0200
Subject: [PATCH] Relax OpenSSL permissions for default key files
Recent versions of OpenSSL appear to create keys with owner-only
permissions. Allow owning group to read the created default key files
in raddb/certs, so that they stay the same as with older OpenSSL, and
that the server can read its key.
(cherry picked from commit 29add135c8d1f1f7ccc6ab6ca25af87b48575a5b)
---
raddb/certs/Makefile | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 8141ae2b2..ef243c9b3 100644
--- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile
@@ -62,6 +62,7 @@ ca.key ca.pem: ca.cnf
@[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf
+ chmod g+r ca.key
ca.der: ca.pem
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
@@ -73,15 +74,18 @@ ca.der: ca.pem
######################################################################
server.csr server.key: server.cnf
$(OPENSSL) req -new -out server.csr -keyout server.key -config ./server.cnf
+ chmod g+r server.key
server.crt: server.csr ca.key ca.pem
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in server.csr -key $(PASSWORD_CA) -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf
server.p12: server.crt
$(OPENSSL) pkcs12 -export -in server.crt -inkey server.key -out server.p12 -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ chmod g+r server.p12
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ chmod g+r server.pem
.PHONY: server.vrfy
server.vrfy: ca.pem
@@ -95,15 +99,18 @@ server.vrfy: ca.pem
######################################################################
client.csr client.key: client.cnf
$(OPENSSL) req -new -out client.csr -keyout client.key -config ./client.cnf
+ chmod g+r client.key
client.crt: client.csr ca.pem ca.key
$(OPENSSL) ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key $(PASSWORD_CA) -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
client.p12: client.crt
$(OPENSSL) pkcs12 -export -in client.crt -inkey client.key -out client.p12 -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ chmod g+r client.p12
client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ chmod g+r client.pem
cp client.pem $(USER_NAME).pem
.PHONY: client.vrfy
--
2.11.0

7
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.13 Version: 3.0.13
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -23,6 +23,7 @@ Source104: freeradius-tmpfiles.conf
Patch1: freeradius-redhat-config.patch Patch1: freeradius-redhat-config.patch
Patch2: freeradius-Use-system-crypto-policy-by-default.patch Patch2: freeradius-Use-system-crypto-policy-by-default.patch
Patch3: freeradius-Relax-OpenSSL-permissions-for-default-key-files.patch
%global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}} %global docdir %{?_pkgdocdir}%{!?_pkgdocdir:%{_docdir}/%{name}-%{version}}
@ -190,6 +191,7 @@ This plugin provides the REST support for the FreeRADIUS server project.
# mistakenly includes the backup files, especially problematic for raddb config files. # mistakenly includes the backup files, especially problematic for raddb config files.
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
%build %build
# Force compile/link options, extra security for network facing daemon # Force compile/link options, extra security for network facing daemon
@ -791,6 +793,9 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Wed Mar 15 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-2
- Fix permissions of default key files in raddb/certs.
* Tue Mar 07 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-1 * Tue Mar 07 2017 Nikolai Kondrashov <Nikolai.Kondrashov@redhat.com> - 3.0.13-1
- Upgrade to upstream v3.0.13 release. - Upgrade to upstream v3.0.13 release.
See upstream ChangeLog for details (in freeradius-doc subpackage). See upstream ChangeLog for details (in freeradius-doc subpackage).