From 018c8364280669acc0d420b4c7eea392958c178d Mon Sep 17 00:00:00 2001
From: William Brown <william@blackhats.net.au>
Date: Apr 04 2019 23:43:27 +0000
Subject: Ticket 49899 - fix pin.txt and pwdfile permissions


Bug Description: On unix, user and group permissions are basically
the same, because users always have a primary group. However, best
practice ignores this, and states everything should be user
owned only if security sensitive.

Fix Description: Make pin.txt and pwdfile user only owned to prevent
disclosure (in limited circumstances, this is little more than
a compliance step).

https://pagure.io/389-ds-base/issue/49899

Author: William Brown <william@blackhats.net.au>

Review by: tbordaz, mhonek (Thanks)

---

diff --git a/src/lib389/lib389/nss_ssl.py b/src/lib389/lib389/nss_ssl.py
index d01185e..7a8f2a5 100644
--- a/src/lib389/lib389/nss_ssl.py
+++ b/src/lib389/lib389/nss_ssl.py
@@ -60,7 +60,7 @@ class NssSsl(object):
 
         self.db_files = {"dbm_backend": ["%s/%s" % (self._certdb, f) for f in ("key3.db", "cert8.db", "secmod.db")],
                          "sql_backend": ["%s/%s" % (self._certdb, f) for f in ("key4.db", "cert9.db", "pkcs11.txt")],
-                         "support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", "pin.txt", "pwdfile.txt")]}
+                         "support": ["%s/%s" % (self._certdb, f) for f in ("noise.txt", PIN_TXT, PWD_TXT)]}
 
     def detect_alt_names(self, alt_names=[]):
         """Attempt to determine appropriate subject alternate names for a host.
@@ -104,9 +104,12 @@ class NssSsl(object):
 
     def _generate_noise(self, fpath):
         noise = password_generate(256)
-        with open(fpath, 'w') as f:
-            f.write(noise)
-        os.chmod(fpath, 0o660)
+        prv_mask = os.umask(0o177)
+        try:
+            with open(fpath, 'w') as f:
+                f.write(noise)
+        finally:
+            prv_mask = os.umask(prv_mask)
 
     def reinit(self):
         """
@@ -136,17 +139,19 @@ only.
         # In the future we may add the needed option to avoid writing the pin
         # files.
         # Write the pin.txt, and the pwdfile.txt
-        pin_file = '%s/%s' % (self._certdb, PIN_TXT)
-        if not os.path.exists(pin_file):
-            with open(pin_file, 'w') as f:
-                f.write('Internal (Software) Token:%s' % self.dbpassword)
-            os.chmod(pin_file, 0o660)
-
-        pwd_text_file = '%s/%s' % (self._certdb, PWD_TXT)
-        if not os.path.exists(pwd_text_file):
-            with open(pwd_text_file, 'w') as f:
-                f.write('%s' % self.dbpassword)
-            os.chmod(pwd_text_file, 0o660)
+        prv_mask = os.umask(0o177)
+        try:
+            pin_file = '%s/%s' % (self._certdb, PIN_TXT)
+            if not os.path.exists(pin_file):
+                with open(pin_file, 'w') as f:
+                    f.write('Internal (Software) Token:%s' % self.dbpassword)
+
+            pwd_text_file = '%s/%s' % (self._certdb, PWD_TXT)
+            if not os.path.exists(pwd_text_file):
+                with open(pwd_text_file, 'w') as f:
+                    f.write('%s' % self.dbpassword)
+        finally:
+            prv_mask = os.umask(prv_mask)
 
         # Init the db.
         # 48886; This needs to be sql format ...