[xcat-user] Pem files are world readable on imaged node

Discussion:

Russell Auld

2017-04-27 14:23:09 UTC

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot

Russ Auld

2017-05-01 12:04:56 UTC

Permalink

On further inspection, these PEM files are being copied to the nodes
from the MASTER node when they are provisioned.

The PEM files aren't owned by any package - I'll assume that they are
created during the installation of xCAT.

Is it safe to lock these files down to mode 0600?

/install/postscripts/_xcat/ca.pem
/install/postscripts/ca/ca-cert.pem

-Russ

I just noticed that there are two world-readable pem files in
/xcatpost after a diskfull image of a node.
Shouldn't those files be restricted or deleted?
-------------------------------------------------------------------
-----------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
xCAT-user mailing list
https://lists.sourceforge.net/lists/listinfo/xcat-user

Jarrod Johnson

2017-05-01 13:14:38 UTC

Permalink

So these pem files are just the public CA certificate cert to the private cluster. There's no private key in there.

-----Original Message-----
From: Russ Auld [mailto:***@comcast.net]
Sent: Monday, May 01, 2017 8:05 AM
To: xCAT Users Mailing list
Subject: Re: [xcat-user] Pem files are world readable on imaged node

On further inspection, these PEM files are being copied to the nodes from the MASTER node when they are provisioned.

The PEM files aren't owned by any package - I'll assume that they are created during the installation of xCAT.

Is it safe to lock these files down to mode 0600?

/install/postscripts/_xcat/ca.pem
/install/postscripts/ca/ca-cert.pem

-Russ