Commit 22114677 authored by Helga Velroyen's avatar Helga Velroyen
Browse files

Setting correct permissions of client cert (split-user)



This patch makes sure that the client certificate gets
the right permissions and owner when created. Additionally
it enhances the 'ensure_dirs' script to correct the
permissions in case they are broken for whatever reason.
Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
Reviewed-by: default avatarJose Lopes <jabolopes@google.com>
parent 7d720a67
......@@ -1192,6 +1192,7 @@ def GetCryptoTokens(token_requests):
@return: list of tuples of the token type and the public crypto token
"""
getents = runtime.GetEnts()
_VALID_CERT_FILES = [pathutils.NODED_CERT_FILE,
pathutils.NODED_CLIENT_CERT_FILE,
pathutils.NODED_CLIENT_CERT_FILE_TMP]
......@@ -1237,7 +1238,8 @@ def GetCryptoTokens(token_requests):
utils.GenerateNewSslCert(
True, cert_filename, serial_no,
"Create new client SSL certificate in %s." % cert_filename)
"Create new client SSL certificate in %s." % cert_filename,
uid=getents.masterd_uid, gid=getents.masterd_gid)
tokens.append((token_type,
utils.GetCertificateDigest(
cert_filename=cert_filename)))
......
......@@ -151,6 +151,8 @@ def GetPaths():
getent.noded_uid, getent.masterd_gid, False),
(pathutils.NODED_CERT_FILE, FILE, pathutils.NODED_CERT_MODE,
getent.masterd_uid, getent.masterd_gid, False),
(pathutils.NODED_CLIENT_CERT_FILE, FILE, pathutils.NODED_CERT_MODE,
getent.masterd_uid, getent.masterd_gid, False),
(pathutils.WATCHER_PAUSEFILE, FILE, 0644,
getent.masterd_uid, getent.masterd_gid, False),
]
......
......@@ -100,7 +100,8 @@ def GetCertificateDigest(cert_filename=pathutils.NODED_CLIENT_CERT_FILE):
return cert.digest("sha1")
def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg,
uid=-1, gid=-1):
"""Creates a new SSL certificate and backups the old one.
@type new_cert: boolean
......@@ -111,6 +112,10 @@ def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
@param serial_no: serial number of the certificate
@type log_msg: string
@param log_msg: log message to be written on certificate creation
@type uid: int
@param uid: the user ID of the user who will be owner of the certificate file
@type gid: int
@param gid: the group ID of the group who will own the certificate file
"""
cert_exists = os.path.exists(cert_filename)
......@@ -119,7 +124,7 @@ def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
io.CreateBackup(cert_filename)
logging.debug(log_msg)
x509.GenerateSelfSignedSslCert(cert_filename, serial_no)
x509.GenerateSelfSignedSslCert(cert_filename, serial_no, uid=uid, gid=gid)
def VerifyCertificate(filename):
......
......@@ -288,7 +288,8 @@ def GenerateSelfSignedX509Cert(common_name, validity, serial_no):
def GenerateSelfSignedSslCert(filename, serial_no,
common_name=constants.X509_CERT_CN,
validity=constants.X509_CERT_DEFAULT_VALIDITY):
validity=constants.X509_CERT_DEFAULT_VALIDITY,
uid=-1, gid=-1):
"""Legacy function to generate self-signed X509 certificate.
@type filename: str
......@@ -297,6 +298,10 @@ def GenerateSelfSignedSslCert(filename, serial_no,
@param common_name: commonName value
@type validity: int
@param validity: validity of certificate in number of days
@type uid: int
@param uid: the user ID of the user who will be owner of the certificate file
@type gid: int
@param gid: the group ID of the group who will own the certificate file
@return: a tuple of strings containing the PEM-encoded private key and
certificate
......@@ -307,7 +312,8 @@ def GenerateSelfSignedSslCert(filename, serial_no,
(key_pem, cert_pem) = GenerateSelfSignedX509Cert(
common_name, validity * 24 * 60 * 60, serial_no)
utils_io.WriteFile(filename, mode=0400, data=key_pem + cert_pem)
utils_io.WriteFile(filename, mode=0440, data=key_pem + cert_pem,
uid=uid, gid=gid)
return (key_pem, cert_pem)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment