Set correct permissions for certificates generated by bootstrap Makefile

While certificates have correct permissions set if generated through
bootstrap script, they don't if they are generated using "make"
directly. With this change certificate permissions are set to 640 and
ownership to root:radiusd.

Resolves: #2069224
Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
Antonio Torres 2022-04-28 18:07:33 +02:00
parent 9ac9146445
commit ef9abe8892
No known key found for this signature in database
GPG Key ID: 359FAF777296F653
2 changed files with 64 additions and 10 deletions

View File

@ -7,29 +7,52 @@ Bootstrap script would fail to generate certificates if run on systems
with FIPS enabled. By passing the -noenc option, we can skip the usage with FIPS enabled. By passing the -noenc option, we can skip the usage
of unsupported algorithms on these systems. of unsupported algorithms on these systems.
After generating the certificates, correct permissions are set.
Signed-off-by: Antonio Torres <antorres@redhat.com> Signed-off-by: Antonio Torres <antorres@redhat.com>
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch. [antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
In bootstrap diff, -f is changed to -e in conditionals. In bootstrap diff, -f is changed to -e in conditionals.
--- ---
raddb/certs/Makefile | 8 ++++---- raddb/certs/Makefile | 20 ++++++++++++++++----
raddb/certs/bootstrap | 6 +++--- raddb/certs/bootstrap | 6 +++---
2 files changed, 7 insertions(+), 7 deletions(-) 2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
index 5cbfd467ce..df45884a55 100644 index 5cbfd467ce..cb10394ec3 100644
--- a/raddb/certs/Makefile --- a/raddb/certs/Makefile
+++ b/raddb/certs/Makefile +++ b/raddb/certs/Makefile
@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf @@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
######################################################################
dh:
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
+ chown root:radiusd dh
+ chmod 640 dh
######################################################################
#
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
@[ -f serial ] || $(MAKE) serial @[ -f serial ] || $(MAKE) serial
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \ $(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \ -days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) - -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc + -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
chmod g+r ca.key chmod g+r ca.key
+ chown root:radiusd ca.*
+ chmod 640 ca.*
ca.der: ca.pem ca.der: ca.pem
@@ -88,7 +88,7 @@ ca.crl: ca.pem $(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
@@ -81,6 +85,8 @@ ca.crl: ca.pem
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
rm ca-crl.pem
+ chown root:radiusd ca.*
+ chmod 640 ca.*
######################################################################
#
@@ -88,7 +94,7 @@ ca.crl: ca.pem
# #
###################################################################### ######################################################################
server.csr server.key: server.cnf server.csr server.key: server.cnf
@ -38,7 +61,16 @@ index 5cbfd467ce..df45884a55 100644
chmod g+r server.key chmod g+r server.key
server.crt: server.csr ca.key ca.pem server.crt: server.csr ca.key ca.pem
@@ -113,7 +113,7 @@ server.vrfy: ca.pem @@ -101,6 +107,8 @@ server.p12: server.crt
server.pem: server.p12
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
chmod g+r server.pem
+ chown root:radiusd server.*
+ chmod 640 server.*
.PHONY: server.vrfy
server.vrfy: ca.pem
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
# #
###################################################################### ######################################################################
client.csr client.key: client.cnf client.csr client.key: client.cnf
@ -47,7 +79,16 @@ index 5cbfd467ce..df45884a55 100644
chmod g+r client.key chmod g+r client.key
client.crt: client.csr ca.pem ca.key client.crt: client.csr ca.pem ca.key
@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem @@ -127,6 +135,8 @@ client.pem: client.p12
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
chmod g+r client.pem
cp client.pem $(USER_NAME).pem
+ chown root:radiusd client.*
+ chmod 640 client.*
.PHONY: client.vrfy
client.vrfy: ca.pem client.pem
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
# #
###################################################################### ######################################################################
inner-server.csr inner-server.key: inner-server.cnf inner-server.csr inner-server.key: inner-server.cnf
@ -56,6 +97,15 @@ index 5cbfd467ce..df45884a55 100644
chmod g+r inner-server.key chmod g+r inner-server.key
inner-server.crt: inner-server.csr ca.key ca.pem inner-server.crt: inner-server.csr ca.key ca.pem
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
inner-server.pem: inner-server.p12
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
chmod g+r inner-server.pem
+ chown root:radiusd inner-server.*
+ chmod 640 inner-server.*
.PHONY: inner-server.vrfy
inner-server.vrfy: ca.pem
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
index 57de8cf0d7..c258ec45e0 100755 index 57de8cf0d7..c258ec45e0 100755
--- a/raddb/certs/bootstrap --- a/raddb/certs/bootstrap
@ -83,4 +133,4 @@ index 57de8cf0d7..c258ec45e0 100755
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc + openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
chmod g+r client.key chmod g+r client.key
fi fi

View File

@ -1,7 +1,7 @@
Summary: High-performance and highly configurable free RADIUS server Summary: High-performance and highly configurable free RADIUS server
Name: freeradius Name: freeradius
Version: 3.0.21 Version: 3.0.21
Release: 28%{?dist} Release: 29%{?dist}
License: GPLv2+ and LGPLv2+ License: GPLv2+ and LGPLv2+
URL: http://www.freeradius.org/ URL: http://www.freeradius.org/
@ -857,6 +857,10 @@ exit 0
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest %attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
%changelog %changelog
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
- Set correct permissions for certificates generated by bootstrap Makefile
Related: rhbz#2069224
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28 * Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
- bootstrap: pass -noenc to certificate generation, do it on script as well - bootstrap: pass -noenc to certificate generation, do it on script as well
Related: rhbz#2069224 Related: rhbz#2069224