diff --git a/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch b/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch index d053cd4..b3dc68e 100644 --- a/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch +++ b/freeradius-bootstrap-pass-noenc-to-certificate-generation.patch @@ -7,29 +7,52 @@ Bootstrap script would fail to generate certificates if run on systems with FIPS enabled. By passing the -noenc option, we can skip the usage of unsupported algorithms on these systems. +After generating the certificates, correct permissions are set. + Signed-off-by: Antonio Torres [antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch. In bootstrap diff, -f is changed to -e in conditionals. --- - raddb/certs/Makefile | 8 ++++---- - raddb/certs/bootstrap | 6 +++--- - 2 files changed, 7 insertions(+), 7 deletions(-) + raddb/certs/Makefile | 20 ++++++++++++++++---- + raddb/certs/bootstrap | 6 +++--- + 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile -index 5cbfd467ce..df45884a55 100644 +index 5cbfd467ce..cb10394ec3 100644 --- a/raddb/certs/Makefile +++ b/raddb/certs/Makefile -@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf +@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf + ###################################################################### + dh: + $(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE) ++ chown root:radiusd dh ++ chmod 640 dh + + ###################################################################### + # +@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf @[ -f serial ] || $(MAKE) serial $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ - -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) + -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc chmod g+r ca.key ++ chown root:radiusd ca.* ++ chmod 640 ca.* ca.der: ca.pem -@@ -88,7 +88,7 @@ ca.crl: ca.pem + $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der +@@ -81,6 +85,8 @@ ca.crl: ca.pem + $(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA) + $(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl + rm ca-crl.pem ++ chown root:radiusd ca.* ++ chmod 640 ca.* + + ###################################################################### + # +@@ -88,7 +94,7 @@ ca.crl: ca.pem # ###################################################################### server.csr server.key: server.cnf @@ -38,7 +61,16 @@ index 5cbfd467ce..df45884a55 100644 chmod g+r server.key server.crt: server.csr ca.key ca.pem -@@ -113,7 +113,7 @@ server.vrfy: ca.pem +@@ -101,6 +107,8 @@ server.p12: server.crt + server.pem: server.p12 + $(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER) + chmod g+r server.pem ++ chown root:radiusd server.* ++ chmod 640 server.* + + .PHONY: server.vrfy + server.vrfy: ca.pem +@@ -113,7 +121,7 @@ server.vrfy: ca.pem # ###################################################################### client.csr client.key: client.cnf @@ -47,7 +79,16 @@ index 5cbfd467ce..df45884a55 100644 chmod g+r client.key client.crt: client.csr ca.pem ca.key -@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem +@@ -127,6 +135,8 @@ client.pem: client.p12 + $(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT) + chmod g+r client.pem + cp client.pem $(USER_NAME).pem ++ chown root:radiusd client.* ++ chmod 640 client.* + + .PHONY: client.vrfy + client.vrfy: ca.pem client.pem +@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem # ###################################################################### inner-server.csr inner-server.key: inner-server.cnf @@ -56,6 +97,15 @@ index 5cbfd467ce..df45884a55 100644 chmod g+r inner-server.key inner-server.crt: inner-server.csr ca.key ca.pem +@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt + inner-server.pem: inner-server.p12 + $(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER) + chmod g+r inner-server.pem ++ chown root:radiusd inner-server.* ++ chmod 640 inner-server.* + + .PHONY: inner-server.vrfy + inner-server.vrfy: ca.pem diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap index 57de8cf0d7..c258ec45e0 100755 --- a/raddb/certs/bootstrap @@ -83,4 +133,4 @@ index 57de8cf0d7..c258ec45e0 100755 + openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc chmod g+r client.key fi - + \ No newline at end of file diff --git a/freeradius.spec b/freeradius.spec index 393bd6e..505bf1a 100644 --- a/freeradius.spec +++ b/freeradius.spec @@ -1,7 +1,7 @@ Summary: High-performance and highly configurable free RADIUS server Name: freeradius Version: 3.0.21 -Release: 28%{?dist} +Release: 29%{?dist} License: GPLv2+ and LGPLv2+ URL: http://www.freeradius.org/ @@ -857,6 +857,10 @@ exit 0 %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %changelog +* Thu Apr 28 2022 Antonio Torres - 3.0.21-29 +- Set correct permissions for certificates generated by bootstrap Makefile + Related: rhbz#2069224 + * Mon Apr 25 2022 Antonio Torres - 3.0.21-28 - bootstrap: pass -noenc to certificate generation, do it on script as well Related: rhbz#2069224