Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-5274

Puppet cert generate leaves ca_key as 644 on first run

          Details

          • Type: Bug
          • Status: Closed
          • Priority: Normal
          • Resolution: Fixed
          • Affects Version/s: PUP 3.8.3, PUP 4.2.2
          • Fix Version/s: PUP 3.8.4, PUP 4.2.3
          • Component/s: None
          • Template:
          • Story Points:
            2
          • Sprint:
            Client 2015-09-30, Client 2015-10-14
          • Release Notes:
            Security Fix
          • Release Notes Summary:
            Hide
            Previously, puppet generated a CA private key (Puppet[:cacert]) that was initially world readable. Note restarting the puppet master (webrick, passenger, puppetserver or executing the `puppet cert generate` command would automatically remediate the issue, so the issue was limited to the time between when puppet was installed/started and when it was restarted.

            This change ensure puppets creates the CA private key with mode 640 to start with.

            Note the private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn't a security issue. This change does fix the host private key so it has mode 640 to start with.
            Show
            Previously, puppet generated a CA private key (Puppet[:cacert]) that was initially world readable. Note restarting the puppet master (webrick, passenger, puppetserver or executing the `puppet cert generate` command would automatically remediate the issue, so the issue was limited to the time between when puppet was installed/started and when it was restarted. This change ensure puppets creates the CA private key with mode 640 to start with. Note the private host key (Puppet[:hostprivkey]) had the same issue, but the parent directory was not world executable/traversable, so it wasn't a security issue. This change does fix the host private key so it has mode 640 to start with.

            Description

            On the first run of `puppet cert generate`, if a ca is not already set up, puppet will generate a ca_key, but will leave it as world readable, which isn't good. Subsequent puppet cert calls will manage the permissions of the file correctly as 640, but the key will be world readable for an indeterminate amount of time. You can see it in action below:

            root@klga76ahkykjzad:~# rm -rf /etc/puppetlabs/puppet/ssl/
            		 
            root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert generate foo
            		 
            Notice: Signed certificate request for ca
            		 
            ls -la /etc/puppetlabs/puppet/ssl/caNotice: foo has a waiting certificate request
            		 
            Notice: Signed certificate request for foo
            		 
            Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/ca/requests/foo.pem'
            		 
            Notice: Removing file Puppet::SSL::CertificateRequest foo at '/etc/puppetlabs/puppet/ssl/certificate_requests/foo.pem'
            		 
            root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
            		 
            total 44
            		 
            drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
            		 
            drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
            		 
            -rw-r--r-- 1 root root  995 Sep 22 15:14 ca_crl.pem
            		 
            -rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
            		 
            -rw-r--r-- 1 root root 3247 Sep 22 15:14 ca_key.pem
            		 
            -rw-r--r-- 1 root root  800 Sep 22 15:14 ca_pub.pem
            		 
            -rw-r--r-- 1 root root  169 Sep 22 15:14 inventory.txt
            		 
            drwxr-x--- 2 root root 4096 Sep 22 15:14 private
            		 
            drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
            		 
            -rw-r--r-- 1 root root    4 Sep 22 15:14 serial
            		 
            drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed
            		 
            root@klga76ahkykjzad:~# /opt/puppetlabs/bin/puppet cert help
            		 
            Error: Invalid method help to apply
            		 
            root@klga76ahkykjzad:~# ls -la /etc/puppetlabs/puppet/ssl/ca/
            		 
            total 44
            		 
            drwxr-xr-x 5 root root 4096 Sep 22 15:14 .
            		 
            drwxrwx--x 8 root root 4096 Sep 22 15:14 ..
            		 
            -rw-r--r-- 1 root root  995 Sep 22 15:14 ca_crl.pem
            		 
            -rw-r--r-- 1 root root 2057 Sep 22 15:14 ca_crt.pem
            		 
            -rw-r----- 1 root root 3247 Sep 22 15:14 ca_key.pem
            		 
            -rw-r--r-- 1 root root  800 Sep 22 15:14 ca_pub.pem
            		 
            -rw-r--r-- 1 root root  169 Sep 22 15:14 inventory.txt
            		 
            drwxr-x--- 2 root root 4096 Sep 22 15:14 private
            		 
            drwxr-xr-x 2 root root 4096 Sep 22 15:14 requests
            		 
            -rw-r--r-- 1 root root    4 Sep 22 15:14 serial
            		 
            drwxr-xr-x 2 root root 4096 Sep 22 15:14 signed

              Attachments

                Activity

                  People

                  • Assignee:
                    Unassigned
                    Reporter:
                    matthaus Past Haus
                  • Votes:
                    0 Vote for this issue
                    Watchers:
                    6 Start watching this issue

                    Dates

                    • Created:
                      Updated:
                      Resolved:

                      Zendesk Support