thr3ads.net - Secure testing team - [Secure-testing-team] Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file [Feb 2010]

If this information is useful, please help other people find it:
Share via:

Dominic Hargreaves

2010-Feb-26 15:45 UTC

[Secure-testing-team] Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file

Package: libapache2-mod-shib2
Version: 2.0.dfsg1-4+lenny2
Severity: critical
Tags: security
Justification: root security hole

When setting up a new SP, I observe the following:

irregular-apocalypse:/etc/shibboleth# ls -l sp*
ls: cannot access sp*: No such file or directory
irregular-apocalypse:/etc/shibboleth# shib-keygen 
Generating a 2048 bit RSA private key
.....+++
...........................................................+++
writing new private key to ''sp-key.pem''
-----
irregular-apocalypse:/etc/shibboleth# ls -l sp*
-rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem
-rw-r--r-- 1 root root 1675 Feb 26 15:39 sp-key.pem

I believe that sp-key.pem should not be made world-readable, and
therefore suggest that the script changes its umask accordingly, and
then chmods the non-private certificate to be world-readable afterwards.

Secure testing team - Feb 2010 - Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file

[Secure-testing-team] Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file