search

Keyfactor / pem-pkcs12-remote-orchestrator

The remote PEM / PKCS12 Orchestrator allows for the remote management of PEM and PKCS12 based certificate stores. The orchestrator performs operations by issuing remote commands over SSH to Linux based systems and via WinRM to Windows based systems.
Apache License 2.0
0 stars 1 forks source link

Sudo access not working because of hard coded value #20

Closed daydr3am3r closed 3 years ago

daydr3am3r commented 3 years ago

It looks like there’s a logic bug in the PEM SSH orchestrator:

I noticed that on https://github.com/Keyfactor/pem-pkcs12-remote-orchestrator/blob/main/PEMStoreSSH/RemoteHandlers/SSHHandler.cs line 192, sudo is hard coded to be disabled when the orchestrator tries to create the certificate files.

      public override void CreateEmptyStoreFile(string path)
        {
            RunCommand($"touch {path}", null, false, null);
            //using sudo will create as root. set useSudo to false 
            //to ensure ownership is with the credentials configued in the platform
        }

However, this means that the user performing the sudo commands might not be able to create the file as it doesn’t have access to that path:

[user@server ~]$ touch /etc/ssl/certs/certificate.crt
touch: cannot touch ‘/etc/ssl/certs/certificate.crt’: Permission denied
[user@server ~]$

An idea (not necessarily the best one) if we want to maintain the original owner is to store the acting user in a variable and modify the permissions after file creation, or create the file using another function or command which allows specifying the user.

doebrowsk commented 3 years ago

Thanks for creating this issue @daydr3am3r - I am fixing this with a patch release in both this repository (for the KF 9 Universal Orchestrator) and will get a patch out for the original Windows Orchestrator repo (versions < 2 of this project) now found @ https://github.com/Keyfactor/pem-pkcs12-remote-windowsorchestrator