From e6497f099c09dfa60bd6ae98e4692e99b7381752 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: May 19 2017 10:33:57 +0000
Subject: certs: do not export keys world-readable in install_key_from_p12


Make sure the exported private key files are readable only by the owner.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

---

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 17b9eba..06a7e21 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -73,7 +73,8 @@ def install_key_from_p12(p12_fname, p12_passwd, pem_fname):
     pwd = ipautil.write_tmp_file(p12_passwd)
     ipautil.run([paths.OPENSSL, "pkcs12", "-nodes", "-nocerts",
                  "-in", p12_fname, "-out", pem_fname,
-                 "-passin", "file:" + pwd.name])
+                 "-passin", "file:" + pwd.name],
+                umask=0o077)
 
 
 def export_pem_p12(pkcs12_fname, pkcs12_pwd_fname, nickname, pem_fname):