bbb-install.sh deploys a certbot deploy hook to bunble the certs and private key into a .pem file to be used by haproxy. Sadly this sensible file is created in a insecure way:
|
touch /etc/haproxy/certbundle.pem.new |
|
chmod 0640 /etc/haproxy/certbundle.pem.new |
An arbitrary user can win a race condition between the touch and the chmod command. If the user succeeds to open the file before the chmod got applied he will be able to retrieve the private key.
Fix:
- replace both commands with a single
umask 007
bbb-install.shdeploys a certbot deploy hook to bunble the certs and private key into a .pem file to be used by haproxy. Sadly this sensible file is created in a insecure way:bbb-install/bbb-install.sh
Lines 807 to 808 in 9ae77a2
An arbitrary user can win a race condition between the
touchand thechmodcommand. If the user succeeds to open the file before thechmodgot applied he will be able to retrieve the private key.Fix:
umask 007