Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5274

Puppet cert generate leaves ca_key as 644 on first run

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: PUP 3.8.3, PUP 4.2.2
    • Fix Version/s: PUP 3.8.4, PUP 4.2.3
    • Component/s: None
    • Template:
    • Story Points:
      2
    • Sprint:
      Client 2015-09-30, Client 2015-10-14
    • Release Notes:
      Security Fix
    • Release Notes Summary:
      Hide
      Previously, puppet generated a CA private key (Puppet[:cacert]) that was initially world readable. Note restarting the puppet master (webrick, passenger, puppetserver or executing the `puppet cert generate` command would automatically remediate the issue, so the issue was limited to the time between when puppet was installed/started and when it was restarted.

      This change ensure puppets creates the CA private key with mode 640 to start with.

      Note the private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn't a security issue. This change does fix the host private key so it has mode 640 to start with.
      Show
      Previously, puppet generated a CA private key (Puppet[:cacert]) that was initially world readable. Note restarting the puppet master (webrick, passenger, puppetserver or executing the `puppet cert generate` command would automatically remediate the issue, so the issue was limited to the time between when puppet was installed/started and when it was restarted. This change ensure puppets creates the CA private key with mode 640 to start with. Note the private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn't a security issue. This change does fix the host private key so it has mode 640 to start with.

      Description

      On the first run of `puppet cert generate`, if a ca is not already set up, puppet will generate a ca_key, but will leave it as world readable, which isn't good. Subsequent puppet cert calls will manage the permissions of the file correctly as 640, but the key will be world readable for an indeterminate amount of time. You can see it in action below:

      root@klga76ahkykjzad:~# rm -rf /etc/puppetlabs/puppet/ssl/
      root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert generate foo
      Notice: Signed certificate request for ca
      ls -la /etc/puppetlabs/puppet/ssl/caNotice: foo has a waiting certificate request
      Notice: Signed certificate request for foo
      Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/ca/requests/foo.pem'
      Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/certificate_requests/foo.pem'
      root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
      total 44
      drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
      drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
      -rw-r--r-- 1 root root  995 Sep 22 15:14 ca_crl.pem
      -rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
      -rw-r--r-- 1 root root 3247 Sep 22 15:14 ca_key.pem
      -rw-r--r-- 1 root root  800 Sep 22 15:14 ca_pub.pem
      -rw-r--r-- 1 root root  169 Sep 22 15:14 inventory.txt
      drwxr-x--- 2 root root 4096 Sep 22 15:14 private
      drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
      -rw-r--r-- 1 root root    4 Sep 22 15:14 serial
      drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed
      root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert help
      Error: Invalid method help to apply
      root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
      total 44
      drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
      drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
      -rw-r--r-- 1 root root  995 Sep 22 15:14 ca_crl.pem
      -rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
      -rw-r----- 1 root root 3247 Sep 22 15:14 ca_key.pem
      -rw-r--r-- 1 root root  800 Sep 22 15:14 ca_pub.pem
      -rw-r--r-- 1 root root  169 Sep 22 15:14 inventory.txt
      drwxr-x--- 2 root root 4096 Sep 22 15:14 private
      drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
      -rw-r--r-- 1 root root    4 Sep 22 15:14 serial
      drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              matthaus Past Haus
            • Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Zendesk Support