outposts: fix docker_tls created files permission#19978
Merged
BeryJu merged 3 commits intogoauthentik:mainfrom Feb 3, 2026
Merged
outposts: fix docker_tls created files permission#19978BeryJu merged 3 commits intogoauthentik:mainfrom
BeryJu merged 3 commits intogoauthentik:mainfrom
Conversation
The write_file() method used plain open() without specifying permissions, creating files with the default umask (typically 0o644). This made private keys readable by other users. Added an opener parameter with 0o600 mode to ensure sensitive cryptographic material is only accessible by the owner.
✅ Deploy Preview for authentik-docs ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
✅ Deploy Preview for authentik-storybook ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
BeryJu
approved these changes
Feb 3, 2026
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #19978 +/- ##
==========================================
- Coverage 93.26% 93.18% -0.09%
==========================================
Files 968 968
Lines 53346 53417 +71
==========================================
+ Hits 49755 49777 +22
- Misses 3591 3640 +49
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
authentik-automation bot
pushed a commit
that referenced
this pull request
Feb 3, 2026
* security: use restrictive file permissions for TLS certificate files The write_file() method used plain open() without specifying permissions, creating files with the default umask (typically 0o644). This made private keys readable by other users. Added an opener parameter with 0o600 mode to ensure sensitive cryptographic material is only accessible by the owner. * reuse Signed-off-by: Jens Langhammer <jens@goauthentik.io> * revert import change Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
Contributor
|
🍒 Cherry-pick to |
BeryJu
added a commit
that referenced
this pull request
Feb 4, 2026
…to version-2025.12) (#19993) outposts: fix docker_tls created files permission (#19978) * security: use restrictive file permissions for TLS certificate files The write_file() method used plain open() without specifying permissions, creating files with the default umask (typically 0o644). This made private keys readable by other users. Added an opener parameter with 0o600 mode to ensure sensitive cryptographic material is only accessible by the owner. * reuse * revert import change --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io> Co-authored-by: Kolega.dev <security@kolega.ai> Co-authored-by: kolega.dev <faizan@kolega.ai> Co-authored-by: Jens Langhammer <jens@goauthentik.io>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Vulnerability identified and fix provided by Kolega.dev
Location
authentik/outposts/docker_tls.py:29Vulnerability
Unlike docker_ssh.py which uses a custom opener with 0o700 permissions, docker_tls.py's write_file() method uses plain open() without specifying file permissions. This means files are created with the default umask (typically 0o644), making private keys readable by other users. While the container environment provides significant mitigation (runs as UID 1000, isolated tmpfs at /dev/shm/), this is still a code defect that should be fixed. The fix is simple: add an opener parameter similar to docker_ssh.py or use os.open() with explicit mode 0o600. The practical exploitability is low due to container isolation, but this represents a genuine coding error where sensitive cryptographic material is written with overly permissive file permissions.
Fix
Added an opener function that creates files with 0o600 permissions, matching the security pattern used in docker_ssh.py. This ensures TLS certificate keys are only readable by the file owner.