When we create/rotate keys using either the tangd-keygen and tangd-rotate-keys helpers, there is a small window between the keys being created and then the proper ownership permissions being set. This also happens when there are no keys and tang creates a pair of keys itself.
In certain situations, such as the keys directory having wide open permissions, a user with local access could exploit this race condition and read the keys before they are set to more restrictive permissions.
To prevent this issue, we now set the default umask to 0337 before creating the files, so that they are already created with restrictive permissions; afterwards, we set the proper ownership as usual.
When we create/rotate keys using either the tangd-keygen and tangd-rotate-keys helpers, there is a small window between the keys being created and then the proper ownership permissions being set. This also happens when there are no keys and tang creates a pair of keys itself.
In certain situations, such as the keys directory having wide open permissions, a user with local access could exploit this race condition and read the keys before they are set to more restrictive permissions.
To prevent this issue, we now set the default umask to 0337 before creating the files, so that they are already created with restrictive permissions; afterwards, we set the proper ownership as usual.
Issue reported by Brian McDermott of CENSUS labs.
Fixes CVE-2023-1672
Reviewed-by: Sergio Arroutbi sarroutb@redhat.com