Write signing keys with file mode 0640 (#16740)

Co-authored-by: Fabian Klemp <fabian.klemp@frequentis.com>
pull/16743/head
elara-leitstellentechnik 2023-12-08 17:25:57 +01:00 committed by GitHub
parent aa983c7b0f
commit 10ada2ff6d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 17 additions and 5 deletions

1
changelog.d/16740.bugfix Normal file
View File

@ -0,0 +1 @@
Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp.

View File

@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and # See the License for the specific language governing permissions and
# limitations under the License. # limitations under the License.
import argparse import argparse
import os
import sys import sys
from signedjson.key import generate_signing_key, write_signing_keys from signedjson.key import generate_signing_key, write_signing_keys
@ -26,15 +27,21 @@ def main() -> None:
parser.add_argument( parser.add_argument(
"-o", "-o",
"--output_file", "--output_file",
type=argparse.FileType("w"), type=str,
default=sys.stdout, default="-",
help="Where to write the output to", help="Where to write the output to",
) )
args = parser.parse_args() args = parser.parse_args()
key_id = "a_" + random_string(4) key_id = "a_" + random_string(4)
key = (generate_signing_key(key_id),) key = (generate_signing_key(key_id),)
write_signing_keys(args.output_file, key) if args.output_file == "-":
write_signing_keys(sys.stdout, key)
else:
with open(
args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
write_signing_keys(signing_key_file, key)
if __name__ == "__main__": if __name__ == "__main__":

View File

@ -263,7 +263,9 @@ class KeyConfig(Config):
if not self.path_exists(signing_key_path): if not self.path_exists(signing_key_path):
print("Generating signing key file %s" % (signing_key_path,)) print("Generating signing key file %s" % (signing_key_path,))
with open(signing_key_path, "w") as signing_key_file: with open(
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
key_id = "a_" + random_string(4) key_id = "a_" + random_string(4)
write_signing_keys(signing_key_file, (generate_signing_key(key_id),)) write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
else: else:
@ -274,7 +276,9 @@ class KeyConfig(Config):
key = decode_signing_key_base64( key = decode_signing_key_base64(
NACL_ED25519, key_id, signing_keys.split("\n")[0] NACL_ED25519, key_id, signing_keys.split("\n")[0]
) )
with open(signing_key_path, "w") as signing_key_file: with open(
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
write_signing_keys(signing_key_file, (key,)) write_signing_keys(signing_key_file, (key,))