Write signing keys with file mode 0640 (#16740)
Co-authored-by: Fabian Klemp <fabian.klemp@frequentis.com>pull/16743/head
parent
aa983c7b0f
commit
10ada2ff6d
|
@ -0,0 +1 @@
|
||||||
|
Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp.
|
|
@ -13,6 +13,7 @@
|
||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
import argparse
|
import argparse
|
||||||
|
import os
|
||||||
import sys
|
import sys
|
||||||
|
|
||||||
from signedjson.key import generate_signing_key, write_signing_keys
|
from signedjson.key import generate_signing_key, write_signing_keys
|
||||||
|
@ -26,15 +27,21 @@ def main() -> None:
|
||||||
parser.add_argument(
|
parser.add_argument(
|
||||||
"-o",
|
"-o",
|
||||||
"--output_file",
|
"--output_file",
|
||||||
type=argparse.FileType("w"),
|
type=str,
|
||||||
default=sys.stdout,
|
default="-",
|
||||||
help="Where to write the output to",
|
help="Where to write the output to",
|
||||||
)
|
)
|
||||||
args = parser.parse_args()
|
args = parser.parse_args()
|
||||||
|
|
||||||
key_id = "a_" + random_string(4)
|
key_id = "a_" + random_string(4)
|
||||||
key = (generate_signing_key(key_id),)
|
key = (generate_signing_key(key_id),)
|
||||||
write_signing_keys(args.output_file, key)
|
if args.output_file == "-":
|
||||||
|
write_signing_keys(sys.stdout, key)
|
||||||
|
else:
|
||||||
|
with open(
|
||||||
|
args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
|
||||||
|
) as signing_key_file:
|
||||||
|
write_signing_keys(signing_key_file, key)
|
||||||
|
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
|
|
|
@ -263,7 +263,9 @@ class KeyConfig(Config):
|
||||||
|
|
||||||
if not self.path_exists(signing_key_path):
|
if not self.path_exists(signing_key_path):
|
||||||
print("Generating signing key file %s" % (signing_key_path,))
|
print("Generating signing key file %s" % (signing_key_path,))
|
||||||
with open(signing_key_path, "w") as signing_key_file:
|
with open(
|
||||||
|
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
|
||||||
|
) as signing_key_file:
|
||||||
key_id = "a_" + random_string(4)
|
key_id = "a_" + random_string(4)
|
||||||
write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
|
write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
|
||||||
else:
|
else:
|
||||||
|
@ -274,7 +276,9 @@ class KeyConfig(Config):
|
||||||
key = decode_signing_key_base64(
|
key = decode_signing_key_base64(
|
||||||
NACL_ED25519, key_id, signing_keys.split("\n")[0]
|
NACL_ED25519, key_id, signing_keys.split("\n")[0]
|
||||||
)
|
)
|
||||||
with open(signing_key_path, "w") as signing_key_file:
|
with open(
|
||||||
|
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
|
||||||
|
) as signing_key_file:
|
||||||
write_signing_keys(signing_key_file, (key,))
|
write_signing_keys(signing_key_file, (key,))
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue