From 8dbbed10870378f1b2c3cf3df2ea7edca7617096 Mon Sep 17 00:00:00 2001
From: Sergio Correia <scorreia@redhat.com>
Date: Wed, 14 Jun 2023 10:53:20 -0300
Subject: [PATCH] Fix race condition when creating/rotating keys (#123)

When we create/rotate keys using either the tangd-keygen and
tangd-rotate-keys helpers, there is a small window between the
keys being created and then the proper ownership permissions being
set. This also happens when there are no keys and tang creates a
pair of keys itself.

In certain situations, such as the keys directory having wide open
permissions, a user with local access could exploit this race
condition and read the keys before they are set to more restrictive
permissions.

To prevent this issue, we now set the default umask to 0337 before
creating the files, so that they are already created with restrictive
permissions; afterwards, we set the proper ownership as usual.

Issue reported by Brian McDermott of CENSUS labs.

Fixes CVE-2023-1672

Refer: 
   https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
   https://ubuntu.com/security/CVE-2023-1672

Reviewed-by: Sergio Arroutbi <sarroutb@redhat.com>
Signed-off-by: Sergio Correia <scorreia@redhat.com>
---
 src/tangd-keygen | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/tangd-keygen b/src/tangd-keygen
index 20d498e..d894ece 100755
--- a/src/tangd-keygen
+++ b/src/tangd-keygen
@@ -27,6 +27,9 @@ fi
 
 [ $# -eq 3 ] && sig=$2 && exc=$3
 
+# Set default umask for file creation.
+umask 0337
+
 jwe=`jose jwk gen -i '{"alg":"ES512"}'`
 [ -z "$sig" ] && sig=`echo "$jwe" | jose jwk thp -i-`
 echo "$jwe" > $1/$sig.jwk
-- 
2.33.0