Uploaded image for project: 'Shibboleth SP - C++'
  1. Shibboleth SP - C++
  2. SSPCPP-106

Security issue with keygen.sh

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.1, 2.4
    • Component/s: Configuration
    • Labels:
      None
    • Operating System:
      Multiple
    • Web Server:
      Multiple
    • CPU Type:
      Multiple
    • C/C++ Compiler:
      Multiple

      Description


      The keygen.sh script, installed with shibboleth sp 2.0 (into the /usr/local/etc/shibboleth directory by default) uses openssl to create a des private key put in to the file sp-key.pm. It relies on the root user's umask (default 22) instead of chmod-ing the resulting file itself, so the generated private key is world readable by default. This is a security issue, the keygen.sh script should chmod the file to 0600.

          914518 -rw-r--r-- 1 root root 1675 May 22 14:59 sp-key.pem

        Smart Checklist

          Attachments

            Activity

              People

              Assignee:
              scott.cantor@at.internet2.edu Scott Cantor (osu.edu)
              Reporter:
              apaxmai Charles A. Morris (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: