Setting correct permissions of client cert (split-user)

This patch makes sure that the client certificate gets
the right permissions and owner when created. Additionally
it enhances the 'ensure_dirs' script to correct the
permissions in case they are broken for whatever reason.

Signed-off-by: Helga Velroyen <helgav@google.com>
Reviewed-by: Jose Lopes <jabolopes@google.com>

diff --git a/lib/backend.py b/lib/backend.py
index 87678bf..3168934 100644 (file)
--- a/lib/backend.py
+++ b/lib/backend.py
@@ -1192,6 +1192,7 @@ def GetCryptoTokens(token_requests):
   @return: list of tuples of the token type and the public crypto token
 
   """
+  getents = runtime.GetEnts()
   _VALID_CERT_FILES = [pathutils.NODED_CERT_FILE,
                        pathutils.NODED_CLIENT_CERT_FILE,
                        pathutils.NODED_CLIENT_CERT_FILE_TMP]
@@ -1237,7 +1238,8 @@ def GetCryptoTokens(token_requests):
 
         utils.GenerateNewSslCert(
           True, cert_filename, serial_no,
-          "Create new client SSL certificate in %s." % cert_filename)
+          "Create new client SSL certificate in %s." % cert_filename,
+          uid=getents.masterd_uid, gid=getents.masterd_gid)
         tokens.append((token_type,
                        utils.GetCertificateDigest(
                          cert_filename=cert_filename)))

diff --git a/lib/tools/ensure_dirs.py b/lib/tools/ensure_dirs.py
index c173f43..7ecd3f8 100644 (file)
--- a/lib/tools/ensure_dirs.py
+++ b/lib/tools/ensure_dirs.py
@@ -151,6 +151,8 @@ def GetPaths():
      getent.noded_uid, getent.masterd_gid, False),
     (pathutils.NODED_CERT_FILE, FILE, pathutils.NODED_CERT_MODE,
      getent.masterd_uid, getent.masterd_gid, False),
+    (pathutils.NODED_CLIENT_CERT_FILE, FILE, pathutils.NODED_CERT_MODE,
+     getent.masterd_uid, getent.masterd_gid, False),
     (pathutils.WATCHER_PAUSEFILE, FILE, 0644,
      getent.masterd_uid, getent.masterd_gid, False),
     ]

diff --git a/lib/utils/security.py b/lib/utils/security.py
index 0d39c54..7b70cbb 100644 (file)
--- a/lib/utils/security.py
+++ b/lib/utils/security.py
@@ -100,7 +100,8 @@ def GetCertificateDigest(cert_filename=pathutils.NODED_CLIENT_CERT_FILE):
   return cert.digest("sha1")
 
 
-def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
+def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg,
+                       uid=-1, gid=-1):
   """Creates a new SSL certificate and backups the old one.
 
   @type new_cert: boolean
@@ -111,6 +112,10 @@ def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
   @param serial_no: serial number of the certificate
   @type log_msg: string
   @param log_msg: log message to be written on certificate creation
+  @type uid: int
+  @param uid: the user ID of the user who will be owner of the certificate file
+  @type gid: int
+  @param gid: the group ID of the group who will own the certificate file
 
   """
   cert_exists = os.path.exists(cert_filename)
@@ -119,7 +124,7 @@ def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg):
       io.CreateBackup(cert_filename)
 
     logging.debug(log_msg)
-    x509.GenerateSelfSignedSslCert(cert_filename, serial_no)
+    x509.GenerateSelfSignedSslCert(cert_filename, serial_no, uid=uid, gid=gid)
 
 
 def VerifyCertificate(filename):

diff --git a/lib/utils/x509.py b/lib/utils/x509.py
index a20162e..b2820da 100644 (file)
--- a/lib/utils/x509.py
+++ b/lib/utils/x509.py
@@ -288,7 +288,8 @@ def GenerateSelfSignedX509Cert(common_name, validity, serial_no):
 
 def GenerateSelfSignedSslCert(filename, serial_no,
                               common_name=constants.X509_CERT_CN,
-                              validity=constants.X509_CERT_DEFAULT_VALIDITY):
+                              validity=constants.X509_CERT_DEFAULT_VALIDITY,
+                              uid=-1, gid=-1):
   """Legacy function to generate self-signed X509 certificate.
 
   @type filename: str
@@ -297,6 +298,10 @@ def GenerateSelfSignedSslCert(filename, serial_no,
   @param common_name: commonName value
   @type validity: int
   @param validity: validity of certificate in number of days
+  @type uid: int
+  @param uid: the user ID of the user who will be owner of the certificate file
+  @type gid: int
+  @param gid: the group ID of the group who will own the certificate file
   @return: a tuple of strings containing the PEM-encoded private key and
            certificate
 
@@ -307,7 +312,8 @@ def GenerateSelfSignedSslCert(filename, serial_no,
   (key_pem, cert_pem) = GenerateSelfSignedX509Cert(
       common_name, validity * 24 * 60 * 60, serial_no)
 
-  utils_io.WriteFile(filename, mode=0400, data=key_pem + cert_pem)
+  utils_io.WriteFile(filename, mode=0440, data=key_pem + cert_pem,
+                     uid=uid, gid=gid)
   return (key_pem, cert_pem)