After IPA install following message is shown:
Setup complete ... Be sure to back up the CA certificate stored in /etc/httpd/alias/cacert.p12 The password for this file is in /etc/httpd/alias/pwdfile.txt
Check file permisions:
# ls -lZ /etc/httpd/alias/cacert.p12 /etc/httpd/alias/pwdfile.txt -r--------. root root unconfined_u:object_r:cert_t:s0 /etc/httpd/alias/cacert.p12 -rw-rw----. root apache unconfined_u:object_r:cert_t:s0 /etc/httpd/alias/pwdfile.txt
If I'm not wrong, these files should have exactly same (and minimal possible) permissions. Is SELinux type "cert_t" appropriate? Is there something like "key_t"?
The file pwdfile.txt has double-duty, both being the password for the root cert and for the mod_nss database.
I can see dropping the file to 0640, but the SELinux contexts are correct.
Ok. I didn't know about double-duty purpose. IMHO In that case we can lower the bug priority, because wrong password in file isn't security problem.
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=824484
Metadata Update from @pspacek: - Issue assigned to rcritten - Issue set to the milestone: Future Releases
In FreeIPA 4.5, the password file has tighter permissions: -rw-------. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
-rw-------. root apache unconfined_u:object_r:cert_t:s0 pwdfile.txt
In 4.7, the password is stored /var/lib/ipa/passwds/ directory. Both the directory and file are only readable and accessible by user root.
/var/lib/ipa/passwds/
root
Metadata Update from @cheimes: - Issue close_status updated to: fixed - Issue set to the milestone: FreeIPA 4.5 (was: Future Releases)
Login to comment on this ticket.