Bug#571631: libapache2-mod-shib2: shib-keygen generates world-readable key file

Dominic Hargreaves dom at earth.li
Fri Feb 26 15:45:13 UTC 2010


Package: libapache2-mod-shib2
Version: 2.0.dfsg1-4+lenny2
Severity: critical
Tags: security
Justification: root security hole

When setting up a new SP, I observe the following:

irregular-apocalypse:/etc/shibboleth# ls -l sp*
ls: cannot access sp*: No such file or directory
irregular-apocalypse:/etc/shibboleth# shib-keygen 
Generating a 2048 bit RSA private key
.....+++
...........................................................+++
writing new private key to 'sp-key.pem'
-----
irregular-apocalypse:/etc/shibboleth# ls -l sp*
-rw-r--r-- 1 root root 1164 Feb 26 15:39 sp-cert.pem
-rw-r--r-- 1 root root 1675 Feb 26 15:39 sp-key.pem

I believe that sp-key.pem should not be made world-readable, and
therefore suggest that the script changes its umask accordingly, and
then chmods the non-private certificate to be world-readable afterwards.





More information about the Pkg-shibboleth-devel mailing list