Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Commit

Permalink
Write signing keys with file mode 0640 (#16740)
Browse files Browse the repository at this point in the history 
Co-authored-by: Fabian Klemp <fabian.klemp@frequentis.com>
  • Loading branch information
@frq-asgard-fake
elara-leitstellentechnik and frq-asgard-fake committed Dec 8, 2023
1 parent aa983c7 commit 10ada2f
Show file tree
Hide file tree
Showing 3 changed files with 17 additions and 5 deletions.
1 change: 1 addition & 0 deletions changelog.d/16740.bugfix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Fix a long-standing bug where the signing keys generated by Synapse were world-readable. Contributed by Fabian Klemp.
13 changes: 10 additions & 3 deletions synapse/_scripts/generate_signing_key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
# See the License for the specific language governing permissions and
# limitations under the License.
import argparse
import os
import sys

from signedjson.key import generate_signing_key, write_signing_keys
Expand All @@ -26,15 +27,21 @@ def main() -> None:
parser.add_argument(
"-o",
"--output_file",
type=argparse.FileType("w"),
default=sys.stdout,
type=str,
default="-",
help="Where to write the output to",
)
args = parser.parse_args()

key_id = "a_" + random_string(4)
key = (generate_signing_key(key_id),)
write_signing_keys(args.output_file, key)
if args.output_file == "-":
write_signing_keys(sys.stdout, key)
else:
with open(
args.output_file, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
write_signing_keys(signing_key_file, key)


if __name__ == "__main__":
Expand Down
8 changes: 6 additions & 2 deletions synapse/config/key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -263,7 +263,9 @@ def generate_files(self, config: Dict[str, Any], config_dir_path: str) -> None:

if not self.path_exists(signing_key_path):
print("Generating signing key file %s" % (signing_key_path,))
with open(signing_key_path, "w") as signing_key_file:
with open(
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
key_id = "a_" + random_string(4)
write_signing_keys(signing_key_file, (generate_signing_key(key_id),))
else:
Expand All @@ -274,7 +276,9 @@ def generate_files(self, config: Dict[str, Any], config_dir_path: str) -> None:
key = decode_signing_key_base64(
NACL_ED25519, key_id, signing_keys.split("\n")[0]
)
with open(signing_key_path, "w") as signing_key_file:
with open(
signing_key_path, "w", opener=lambda p, f: os.open(p, f, mode=0o640)
) as signing_key_file:
write_signing_keys(signing_key_file, (key,))


Expand Down

0 comments on commit 10ada2f

Please sign in to comment.