Fix permissions on generated certificates

Signed-off-by: Alexander Scheel <ascheel@redhat.com>

freeradius-bootstrap-create-only.patch

@@ -15,7 +15,7 @@ index 0f719aafd4..be81a2d697 100755
 @@ -13,17 +13,6 @@
  umask 027
  cd `dirname $0`
- 
+
 -make -h > /dev/null 2>&1
 -
 -#
@@ -30,7 +30,7 @@ index 0f719aafd4..be81a2d697 100755
  #
  #  The following commands were created by running "make -n", and edited
  #  to remove the trailing backslash, and to add "exit 1" after the commands.
-@@ -31,52 +20,48 @@ fi
+@@ -31,52 +20,51 @@ fi
  #  Don't edit the following text.  Instead, edit the Makefile, and
  #  re-generate these commands.
  #
@@ -44,57 +44,60 @@ index 0f719aafd4..be81a2d697 100755
 -  fi
 +  ln -sf /dev/urandom random
  fi
- 
+
 -if [ ! -f server.key ]; then
 +if [ ! -e server.key ]; then
    openssl req -new  -out server.csr -keyout server.key -config ./server.cnf || exit 1
  fi
- 
+
 -if [ ! -f ca.key ]; then
 +if [ ! -e ca.key ]; then
    openssl req -new -x509 -keyout ca.key -out ca.pem -days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'` -config ./ca.cnf || exit 1
  fi
- 
+
 -if [ ! -f index.txt ]; then
 +if [ ! -e index.txt ]; then
    touch index.txt
  fi
- 
+
 -if [ ! -f serial ]; then
 +if [ ! -e serial ]; then
    echo '01' > serial
  fi
- 
+
 -if [ ! -f server.crt ]; then
 +if [ ! -e server.crt ]; then
    openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt -extensions xpserver_ext -extfile xpextensions -config ./server.cnf || exit 1
  fi
- 
+
 -if [ ! -f server.p12 ]; then
 +if [ ! -e server.p12 ]; then
    openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12  -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
  fi
- 
+
 -if [ ! -f server.pem ]; then
 +if [ ! -e server.pem ]; then
    openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'` || exit 1
    openssl verify -CAfile ca.pem server.pem || exit 1
  fi
- 
+
 -if [ ! -f ca.der ]; then
 +if [ ! -e ca.der ]; then
    openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der || exit 1
  fi
- 
+
 -if [ ! -f client.key ]; then
 +if [ ! -e client.key ]; then
    openssl req -new  -out client.csr -keyout client.key -config ./client.cnf
  fi
- 
+
 -if [ ! -f client.crt ]; then
 +if [ ! -e client.crt ]; then
    openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr  -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
  fi
--- 
++
++chown root:radiusd dh ca.* client.* server.*
++chmod 644 dh ca.* client.* server.*
+--
 2.21.0
 

freeradius.spec

@@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.19
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/
 
@@ -792,6 +792,9 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
 
 %changelog
+* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
+- Update boostrap to change ownership of all certificates to root:radiusd
+
 * Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
 - Updated crypto-policies patch
 - Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284

radiusd.service

@@ -6,8 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
 Type=forking
 PIDFile=/var/run/radiusd/radiusd.pid
 ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
-ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap create-only
-ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/
+ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
 ExecStartPre=/usr/sbin/radiusd -C
 ExecStart=/usr/sbin/radiusd -d /etc/raddb
 ExecReload=/usr/sbin/radiusd -C