1686750800.v13-3-g8dbbed1.fix-race-condition-when-creating-rotating-keys-123.patch 2.1 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566
  1. Subject: Fix race condition when creating/rotating keys (#123)
  2. Origin: v13-3-g8dbbed1 <https://github.com/latchset/tang/commit/v13-3-g8dbbed1>
  3. Upstream-Author: Sergio Correia <scorreia@redhat.com>
  4. Date: Wed Jun 14 10:53:20 2023 -0300
  5. When we create/rotate keys using either the tangd-keygen and
  6. tangd-rotate-keys helpers, there is a small window between the
  7. keys being created and then the proper ownership permissions being
  8. set. This also happens when there are no keys and tang creates a
  9. pair of keys itself.
  10. In certain situations, such as the keys directory having wide open
  11. permissions, a user with local access could exploit this race
  12. condition and read the keys before they are set to more restrictive
  13. permissions.
  14. To prevent this issue, we now set the default umask to 0337 before
  15. creating the files, so that they are already created with restrictive
  16. permissions; afterwards, we set the proper ownership as usual.
  17. Issue reported by Brian McDermott of CENSUS labs.
  18. Fixes CVE-2023-1672
  19. Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
  20. Signed-off-by: Sergio Correia <scorreia@redhat.com>
  21. --- a/src/keys.c
  22. +++ b/src/keys.c
  23. @@ -307,6 +307,9 @@
  24. {
  25. const char* alg[] = {"ES512", "ECMR", NULL};
  26. char path[PATH_MAX];
  27. +
  28. + /* Set default umask for file creation. */
  29. + umask(0337);
  30. for (int i = 0; alg[i] != NULL; i++) {
  31. json_auto_t* jwk = jwk_generate(alg[i]);
  32. if (!jwk) {
  33. --- a/src/tangd-keygen.in
  34. +++ b/src/tangd-keygen.in
  35. @@ -38,6 +38,10 @@
  36. [ $# -eq 3 ] && sig=$2 && exc=$3
  37. THP_DEFAULT_HASH=S256 # SHA-256.
  38. +
  39. +# Set default umask for file creation.
  40. +umask 0337
  41. +
  42. jwe=$(jose jwk gen -i '{"alg":"ES512"}')
  43. [ -z "$sig" ] && sig=$(echo "$jwe" | jose jwk thp -i- -a "${THP_DEFAULT_HASH}")
  44. echo "$jwe" > "$1/$sig.jwk"
  45. --- a/src/tangd-rotate-keys.in
  46. +++ b/src/tangd-rotate-keys.in
  47. @@ -79,6 +79,10 @@
  48. # Create a new set of keys.
  49. DEFAULT_THP_HASH="S256"
  50. +
  51. + # Set default umask for file creation.
  52. + umask 0337
  53. +
  54. for alg in "ES512" "ECMR"; do
  55. json="$(printf '{"alg": "%s"}' "${alg}")"
  56. jwe="$(jose jwk gen --input "${json}")"