Installation of step-ca and step-cli leave ownership and permissions unchanged - potential security issue

[eengstrom]

I've been testing the latest version of the code base, directly from GitHub and discovered a potential security issue during of step-ca and step-cli executables -- they are installed with owner / group as 1001 / 112 (numerical UID/GID). On most systems, those will map to some user and some system group. In my system, they actually map to my UID and the docker group, but that's just coincidence.

I'm guessing the installation is just moving files pulled out of a tarball download from Smallstep, and those are built by some CI system with the permissions of the CI system, plausibly inside a Docker container.

The ramifications of this choice leave the binaries potentially writable by a "normal" user, and since they need to be run by root, the obvious security vulnerability.

I believe when installed, both should be installed with user/group/permissions: root / root / 0755.

As a workaround for now, I'm adding this to my playbooks after installation of the CA (and client):

    - name: step-ca | fix owner/group on the installed applications
      ansible.builtin.file:
        path: "{{ item }}"
        owner: "{{ system_root_user }}"
        group: "{{ system_root_group }}"
        mode: 0755
      loop:
        - /usr/bin/step-ca
        - /usr/bin/step-cli

[maxhoesel]

This was fixed in #373 but hasn't hit a stable release yet. I'm currently working towards a more sane versioning scheme for this collection (#335), so it might be a while before the next release.