Set correct permissions for certificates generated by bootstrap Makefile
While certificates have correct permissions set if generated through bootstrap script, they don't if they are generated using "make" directly. With this change certificate permissions are set to 640 and ownership to root:radiusd. Resolves: #2069224 Signed-off-by: Antonio Torres <antorres@redhat.com>
This commit is contained in:
parent
9ac9146445
commit
ef9abe8892
@ -7,29 +7,52 @@ Bootstrap script would fail to generate certificates if run on systems
|
|||||||
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
with FIPS enabled. By passing the -noenc option, we can skip the usage
|
||||||
of unsupported algorithms on these systems.
|
of unsupported algorithms on these systems.
|
||||||
|
|
||||||
|
After generating the certificates, correct permissions are set.
|
||||||
|
|
||||||
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
Signed-off-by: Antonio Torres <antorres@redhat.com>
|
||||||
|
|
||||||
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
[antorres@redhat.com]: patch adapted to work together with freeradius-bootstrap-create-only.patch.
|
||||||
In bootstrap diff, -f is changed to -e in conditionals.
|
In bootstrap diff, -f is changed to -e in conditionals.
|
||||||
---
|
---
|
||||||
raddb/certs/Makefile | 8 ++++----
|
raddb/certs/Makefile | 20 ++++++++++++++++----
|
||||||
raddb/certs/bootstrap | 6 +++---
|
raddb/certs/bootstrap | 6 +++---
|
||||||
2 files changed, 7 insertions(+), 7 deletions(-)
|
2 files changed, 19 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
diff --git a/raddb/certs/Makefile b/raddb/certs/Makefile
|
||||||
index 5cbfd467ce..df45884a55 100644
|
index 5cbfd467ce..cb10394ec3 100644
|
||||||
--- a/raddb/certs/Makefile
|
--- a/raddb/certs/Makefile
|
||||||
+++ b/raddb/certs/Makefile
|
+++ b/raddb/certs/Makefile
|
||||||
@@ -71,7 +71,7 @@ ca.key ca.pem: ca.cnf
|
@@ -60,6 +60,8 @@ passwords.mk: server.cnf ca.cnf client.cnf inner-server.cnf
|
||||||
|
######################################################################
|
||||||
|
dh:
|
||||||
|
$(OPENSSL) dhparam -out dh -2 $(DH_KEY_SIZE)
|
||||||
|
+ chown root:radiusd dh
|
||||||
|
+ chmod 640 dh
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
@@ -71,8 +73,10 @@ ca.key ca.pem: ca.cnf
|
||||||
@[ -f serial ] || $(MAKE) serial
|
@[ -f serial ] || $(MAKE) serial
|
||||||
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
$(OPENSSL) req -new -x509 -keyout ca.key -out ca.pem \
|
||||||
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
-days $(CA_DEFAULT_DAYS) -config ./ca.cnf \
|
||||||
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
- -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA)
|
||||||
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
+ -passin pass:$(PASSWORD_CA) -passout pass:$(PASSWORD_CA) -noenc
|
||||||
chmod g+r ca.key
|
chmod g+r ca.key
|
||||||
|
+ chown root:radiusd ca.*
|
||||||
|
+ chmod 640 ca.*
|
||||||
|
|
||||||
ca.der: ca.pem
|
ca.der: ca.pem
|
||||||
@@ -88,7 +88,7 @@ ca.crl: ca.pem
|
$(OPENSSL) x509 -inform PEM -outform DER -in ca.pem -out ca.der
|
||||||
|
@@ -81,6 +85,8 @@ ca.crl: ca.pem
|
||||||
|
$(OPENSSL) ca -gencrl -keyfile ca.key -cert ca.pem -config ./ca.cnf -out ca-crl.pem -key $(PASSWORD_CA)
|
||||||
|
$(OPENSSL) crl -in ca-crl.pem -outform der -out ca.crl
|
||||||
|
rm ca-crl.pem
|
||||||
|
+ chown root:radiusd ca.*
|
||||||
|
+ chmod 640 ca.*
|
||||||
|
|
||||||
|
######################################################################
|
||||||
|
#
|
||||||
|
@@ -88,7 +94,7 @@ ca.crl: ca.pem
|
||||||
#
|
#
|
||||||
######################################################################
|
######################################################################
|
||||||
server.csr server.key: server.cnf
|
server.csr server.key: server.cnf
|
||||||
@ -38,7 +61,16 @@ index 5cbfd467ce..df45884a55 100644
|
|||||||
chmod g+r server.key
|
chmod g+r server.key
|
||||||
|
|
||||||
server.crt: server.csr ca.key ca.pem
|
server.crt: server.csr ca.key ca.pem
|
||||||
@@ -113,7 +113,7 @@ server.vrfy: ca.pem
|
@@ -101,6 +107,8 @@ server.p12: server.crt
|
||||||
|
server.pem: server.p12
|
||||||
|
$(OPENSSL) pkcs12 -in server.p12 -out server.pem -passin pass:$(PASSWORD_SERVER) -passout pass:$(PASSWORD_SERVER)
|
||||||
|
chmod g+r server.pem
|
||||||
|
+ chown root:radiusd server.*
|
||||||
|
+ chmod 640 server.*
|
||||||
|
|
||||||
|
.PHONY: server.vrfy
|
||||||
|
server.vrfy: ca.pem
|
||||||
|
@@ -113,7 +121,7 @@ server.vrfy: ca.pem
|
||||||
#
|
#
|
||||||
######################################################################
|
######################################################################
|
||||||
client.csr client.key: client.cnf
|
client.csr client.key: client.cnf
|
||||||
@ -47,7 +79,16 @@ index 5cbfd467ce..df45884a55 100644
|
|||||||
chmod g+r client.key
|
chmod g+r client.key
|
||||||
|
|
||||||
client.crt: client.csr ca.pem ca.key
|
client.crt: client.csr ca.pem ca.key
|
||||||
@@ -139,7 +139,7 @@ client.vrfy: ca.pem client.pem
|
@@ -127,6 +135,8 @@ client.pem: client.p12
|
||||||
|
$(OPENSSL) pkcs12 -in client.p12 -out client.pem -passin pass:$(PASSWORD_CLIENT) -passout pass:$(PASSWORD_CLIENT)
|
||||||
|
chmod g+r client.pem
|
||||||
|
cp client.pem $(USER_NAME).pem
|
||||||
|
+ chown root:radiusd client.*
|
||||||
|
+ chmod 640 client.*
|
||||||
|
|
||||||
|
.PHONY: client.vrfy
|
||||||
|
client.vrfy: ca.pem client.pem
|
||||||
|
@@ -139,7 +149,7 @@ client.vrfy: ca.pem client.pem
|
||||||
#
|
#
|
||||||
######################################################################
|
######################################################################
|
||||||
inner-server.csr inner-server.key: inner-server.cnf
|
inner-server.csr inner-server.key: inner-server.cnf
|
||||||
@ -56,6 +97,15 @@ index 5cbfd467ce..df45884a55 100644
|
|||||||
chmod g+r inner-server.key
|
chmod g+r inner-server.key
|
||||||
|
|
||||||
inner-server.crt: inner-server.csr ca.key ca.pem
|
inner-server.crt: inner-server.csr ca.key ca.pem
|
||||||
|
@@ -152,6 +162,8 @@ inner-server.p12: inner-server.crt
|
||||||
|
inner-server.pem: inner-server.p12
|
||||||
|
$(OPENSSL) pkcs12 -in inner-server.p12 -out inner-server.pem -passin pass:$(PASSWORD_INNER) -passout pass:$(PASSWORD_INNER)
|
||||||
|
chmod g+r inner-server.pem
|
||||||
|
+ chown root:radiusd inner-server.*
|
||||||
|
+ chmod 640 inner-server.*
|
||||||
|
|
||||||
|
.PHONY: inner-server.vrfy
|
||||||
|
inner-server.vrfy: ca.pem
|
||||||
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
|
||||||
index 57de8cf0d7..c258ec45e0 100755
|
index 57de8cf0d7..c258ec45e0 100755
|
||||||
--- a/raddb/certs/bootstrap
|
--- a/raddb/certs/bootstrap
|
||||||
@ -83,4 +133,4 @@ index 57de8cf0d7..c258ec45e0 100755
|
|||||||
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
+ openssl req -new -out client.csr -keyout client.key -config ./client.cnf -noenc
|
||||||
chmod g+r client.key
|
chmod g+r client.key
|
||||||
fi
|
fi
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: High-performance and highly configurable free RADIUS server
|
Summary: High-performance and highly configurable free RADIUS server
|
||||||
Name: freeradius
|
Name: freeradius
|
||||||
Version: 3.0.21
|
Version: 3.0.21
|
||||||
Release: 28%{?dist}
|
Release: 29%{?dist}
|
||||||
License: GPLv2+ and LGPLv2+
|
License: GPLv2+ and LGPLv2+
|
||||||
URL: http://www.freeradius.org/
|
URL: http://www.freeradius.org/
|
||||||
|
|
||||||
@ -857,6 +857,10 @@ exit 0
|
|||||||
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
%attr(640,root,radiusd) %config(noreplace) /etc/raddb/mods-available/rest
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Apr 28 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-29
|
||||||
|
- Set correct permissions for certificates generated by bootstrap Makefile
|
||||||
|
Related: rhbz#2069224
|
||||||
|
|
||||||
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
|
* Mon Apr 25 2022 Antonio Torres <antorres@redhat.com> - 3.0.21-28
|
||||||
- bootstrap: pass -noenc to certificate generation, do it on script as well
|
- bootstrap: pass -noenc to certificate generation, do it on script as well
|
||||||
Related: rhbz#2069224
|
Related: rhbz#2069224
|
||||||
|
Loading…
Reference in New Issue
Block a user