rpms/freeradius
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix permissions on generated certificates

Browse Source 
Signed-off-by: Alexander Scheel <ascheel@redhat.com>
This commit is contained in:
Alexander Scheel 2019-05-09 14:20:20 -04:00
parent a0af05f14f
commit 93f241adb1
No known key found for this signature in database
GPG Key ID: C0D6C737D0003143
3 changed files with 21 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
freeradius-bootstrap-create-only.patch
View File

@ -30,7 +30,7 @@ index 0f719aafd4..be81a2d697 100755
# #
# The following commands were created by running "make -n", and edited # The following commands were created by running "make -n", and edited
# to remove the trailing backslash, and to add "exit 1" after the commands. # to remove the trailing backslash, and to add "exit 1" after the commands.
@@ -31,52 +20,48 @@ fi @@ -31,52 +20,51 @@ fi
# Don't edit the following text. Instead, edit the Makefile, and # Don't edit the following text. Instead, edit the Makefile, and
# re-generate these commands. # re-generate these commands.
# #
@ -95,6 +95,9 @@ index 0f719aafd4..be81a2d697 100755
+if [ ! -e client.crt ]; then +if [ ! -e client.crt ]; then
openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf openssl ca -batch -keyfile ca.key -cert ca.pem -in client.csr -key `grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out client.crt -extensions xpclient_ext -extfile xpextensions -config ./client.cnf
fi fi
+
+chown root:radiusd dh ca.* client.* server.*
+chmod 644 dh ca.* client.* server.*
-- --
2.21.0 2.21.0

5
freeradius.spec
View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.19 Version: 3.0.19
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -792,6 +792,9 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-3
- Update boostrap to change ownership of all certificates to root:radiusd
* Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2 * Wed May 08 2019 Alexander Scheel <ascheel@redhat.com> - 3.0.19-2
- Updated crypto-policies patch - Updated crypto-policies patch
- Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284 - Updated /etc/raddb/certs/bootstrap to only create certificates if missing: bz#1705165 bz#1672284

3
radiusd.service
View File

@ -6,8 +6,7 @@ After=syslog.target network-online.target ipa.service dirsrv.target krb5kdc.serv
Type=forking Type=forking
PIDFile=/var/run/radiusd/radiusd.pid PIDFile=/var/run/radiusd/radiusd.pid
ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd ExecStartPre=-/bin/chown -R radiusd.radiusd /var/run/radiusd
ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap create-only ExecStartPre=/bin/sh /etc/raddb/certs/bootstrap
ExecStartPre=/bin/chgrp -R radiusd /etc/raddb/certs/
ExecStartPre=/usr/sbin/radiusd -C ExecStartPre=/usr/sbin/radiusd -C
ExecStart=/usr/sbin/radiusd -d /etc/raddb ExecStart=/usr/sbin/radiusd -d /etc/raddb
ExecReload=/usr/sbin/radiusd -C ExecReload=/usr/sbin/radiusd -C