Set correct permissions for certificates generated by bootstrap Makefile

While certificates have correct permissions set if generated through bootstrap script, they don't if they are generated using "make" directly. With this change certificate permissions are set to 640 and ownership to root:radiusd. Resolves: #2069224 Signed-off-by: Antonio Torres <antorres@redhat.com>
2022-04-28 18:07:33 +02:00 · 2022-04-28 18:07:33 +02:00 · ef9abe8892
commit ef9abe8892
parent 9ac9146445
2 changed files with 64 additions and 10 deletions
--- a/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
+++ b/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch
@ -7,29 +7,52 @@ Bootstrap script would fail to generate certificates if run on systems
 with FIPS enabled. By passing the -noenc option, we can skip the usage
 of unsupported algorithms on these systems.

+After generating the certificates, correct permissions are set.
+
 Signed-off-by: Antonio Torres <antorres@redhat.com>

 [antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
 In bootstrap diff, -f is changed to -e in conditionals.
 ---
- raddb/certs/Makefile  | 8 ++++----
- raddb/certs/bootstrap | 6 +++---
- 2 files changed, 7 insertions(+), 7 deletions(-)
+ raddb/certs/Makefile  | 20 ++++++++++++++++----
+ raddb/certs/bootstrap |  6 +++---
+ 2 files changed, 19 insertions(+), 7 deletions(-)

 diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
-index 5cbfd467ce..df45884a55 100644
+index 5cbfd467ce..cb10394ec3 100644
 --- a/raddb/certs/Makefile
 +++ b/raddb/certs/Makefile
-@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf
+@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
+ ######################################################################
+ dh:
+ 	$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+	chown root:radiusd dh
+	chmod 640 dh
+ 
+ ######################################################################
+ #
+@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
 	@[ -f serial ] || $(MAKE) serial
 	$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
 		-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
 -		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
 +		-passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
 	chmod g+r ca.key
+	chown root:radiusd ca.*
+	chmod 640 ca.*
 
 ca.der: ca.pem
-@@ -88,7 +88,7 @@ ca.crl: ca.pem
+ 	$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
+@@ -81,6 +85,8 @@ ca.crl: ca.pem
+ 	$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
+ 	$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
+ 	rm ca-crl.pem
+	chown root:radiusd ca.*
+	chmod 640 ca.*
+ 
+ ######################################################################
+ #
+@@ -88,7 +94,7 @@ ca.crl: ca.pem
 #
 ######################################################################
 server.csr server.key: server.cnf
@ -38,7 +61,16 @@ index 5cbfd467ce..df45884a55 100644
 	chmod g+r server.key
 
 server.crt: server.csr ca.key ca.pem
-@@ -113,7 +113,7 @@ server.vrfy: ca.pem
+@@ -101,6 +107,8 @@ server.p12: server.crt
+ server.pem: server.p12
+ 	$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
+ 	chmod g+r server.pem
+	chown root:radiusd server.*
+	chmod 640 server.*
+ 
+ .PHONY: server.vrfy
+ server.vrfy: ca.pem
+@@ -113,7 +121,7 @@ server.vrfy: ca.pem
 #
 ######################################################################
 client.csr client.key: client.cnf
@ -47,7 +79,16 @@ index 5cbfd467ce..df45884a55 100644
 	chmod g+r client.key
 
 client.crt: client.csr ca.pem ca.key
-@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem
+@@ -127,6 +135,8 @@ client.pem: client.p12
+ 	$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
+ 	chmod g+r client.pem
+ 	cp client.pem $(USER_NAME).pem
+	chown root:radiusd client.*
+	chmod 640 client.*
+ 
+ .PHONY: client.vrfy
+ client.vrfy: ca.pem client.pem
+@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
 #
 ######################################################################
 inner-server.csr inner-server.key: inner-server.cnf
@ -56,6 +97,15 @@ index 5cbfd467ce..df45884a55 100644
 	chmod g+r inner-server.key
 
 inner-server.crt: inner-server.csr ca.key ca.pem
+@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
+ inner-server.pem: inner-server.p12
+ 	$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
+ 	chmod g+r inner-server.pem
+	chown root:radiusd inner-server.*
+	chmod 640 inner-server.*
+ 
+ .PHONY: inner-server.vrfy
+ inner-server.vrfy: ca.pem
 diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
 index 57de8cf0d7..c258ec45e0 100755
 --- a/raddb/certs/bootstrap
@ -83,4 +133,4 @@ index 57de8cf0d7..c258ec45e0 100755
 +  openssl req -new  -out client.csr -keyout client.key -config ./client.cnf -noenc
   chmod g+r client.key
 fi
- 
+ 
--- a/freeradius.spec
+++ b/freeradius.spec
@ -1,7 +1,7 @@
 Summary: High-performance and highly configurable free RADIUS server
 Name: freeradius
 Version: 3.0.21
-Release: 28%{?dist}
+Release: 29%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: http://www.freeradius.org/

@ -857,6 +857,10 @@ exit 0
 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest

 %changelog
+* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
+- Set correct permissions for certificates generated by bootstrap Makefile
+  Related: rhbz#2069224
+
 * Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
 - bootstrap: pass -noenc to certificate generation, do it on script as well
  Related: rhbz#2069224