-
Type:
Bug
-
Status: Closed
-
Priority:
Normal
-
Resolution: Fixed
-
Affects Version/s: PUP 3.8.3, PUP 4.2.2
-
Component/s: None
-
Labels:
-
Template:customfield_10700 99077
-
Story Points:2
-
Sprint:Client 2015-09-30, Client 2015-10-14
-
Release Notes:Security Fix
-
Release Notes Summary:
On the first run of `puppet cert generate`, if a ca is not already set up, puppet will generate a ca_key, but will leave it as world readable, which isn't good. Subsequent puppet cert calls will manage the permissions of the file correctly as 640, but the key will be world readable for an indeterminate amount of time. You can see it in action below:
root@klga76ahkykjzad:~# rm -rf /etc/puppetlabs/puppet/ssl/
|
root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert generate foo
|
Notice: Signed certificate request for ca
|
ls -la /etc/puppetlabs/puppet/ssl/caNotice: foo has a waiting certificate request
|
Notice: Signed certificate request for foo
|
Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/ca/requests/foo.pem'
|
Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/certificate_requests/foo.pem'
|
root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
|
total 44
|
drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
|
drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
|
-rw-r--r-- 1 root root 995 Sep 22 15:14 ca_crl.pem
|
-rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
|
-rw-r--r-- 1 root root 3247 Sep 22 15:14 ca_key.pem
|
-rw-r--r-- 1 root root 800 Sep 22 15:14 ca_pub.pem
|
-rw-r--r-- 1 root root 169 Sep 22 15:14 inventory.txt
|
drwxr-x--- 2 root root 4096 Sep 22 15:14 private
|
drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
|
-rw-r--r-- 1 root root 4 Sep 22 15:14 serial
|
drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed
|
root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert help
|
Error: Invalid method help to apply
|
root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
|
total 44
|
drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
|
drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
|
-rw-r--r-- 1 root root 995 Sep 22 15:14 ca_crl.pem
|
-rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
|
-rw-r----- 1 root root 3247 Sep 22 15:14 ca_key.pem
|
-rw-r--r-- 1 root root 800 Sep 22 15:14 ca_pub.pem
|
-rw-r--r-- 1 root root 169 Sep 22 15:14 inventory.txt
|
drwxr-x--- 2 root root 4096 Sep 22 15:14 private
|
drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
|
-rw-r--r-- 1 root root 4 Sep 22 15:14 serial
|
drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed
|