Alon Bar-Lev has uploaded a new change for review. Change subject: pki: enforce lock file permissions same as ca private key ......................................................................
pki: enforce lock file permissions same as ca private key Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1075209 Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c Signed-off-by: Alon Bar-Lev <[email protected]> --- M packaging/bin/pki-enroll-request.sh M packaging/setup/ovirt_engine_setup/constants.py M packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py A packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/upgrade.py 4 files changed, 66 insertions(+), 2 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/29/25629/1 diff --git a/packaging/bin/pki-enroll-request.sh b/packaging/bin/pki-enroll-request.sh index 47bc8fa..b81b2d0 100755 --- a/packaging/bin/pki-enroll-request.sh +++ b/packaging/bin/pki-enroll-request.sh @@ -90,13 +90,22 @@ # path must be local as remote filesystems # do not [always] support flock. LOCKFILE="/tmp/ovirt-engine-pki.lock" +LOCKFILE_REF="${PKIDIR}/private/ca.pem" + +if [ -f "${LOCKFILE}" ]; then + if [ "$(stat --printf "%u-%g-%a\n" "${LOCKFILE}" "${LOCKFILE_REF}" 2>&1 | uniq | wc -l)" != 1 ]; then + rm "${LOCKFILE}" || die "Invalid permissions for '${LOCKFILE}', please remove" + fi +fi # create lock file if not already exists # make sure it is world readable so we can # lock file by any user. if ! [ -f "${LOCKFILE}" ]; then - touch "${LOCKFILE}" || die "Cannot create lockfile '${LOCKFILE}'" - chmod a+r "${LOCKFILE}" + touch "${LOCKFILE}.tmp" || die "Cannot create lockfile '${LOCKFILE}.tmp'" + chown --reference="${LOCKFILE_REF}" "${LOCKFILE}.tmp" || die "Cannot set ownership of lockfile '${LOCKFILE}.tmp'" + chmod --reference="${LOCKFILE_REF}" "${LOCKFILE}.tmp" || die "Cannot set permissions of lockfile '${LOCKFILE}.tmp'" + mv "${LOCKFILE}.tmp" "${LOCKFILE}" || die "Cannot create lockfile '${LOCKFILE}'" fi # Wait for lock on fd 9 diff --git a/packaging/setup/ovirt_engine_setup/constants.py b/packaging/setup/ovirt_engine_setup/constants.py index ee8d23d..98065dc 100644 --- a/packaging/setup/ovirt_engine_setup/constants.py +++ b/packaging/setup/ovirt_engine_setup/constants.py @@ -182,6 +182,7 @@ 'answers', ) + OVIRT_ENGINE_PKI_LOCKFILE = '/tmp/ovirt-engine-pki.lock' OVIRT_ENGINE_PKIKEYSDIR = os.path.join( OVIRT_ENGINE_PKIDIR, 'keys', diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py index f51d0a7..6058adc 100644 --- a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/__init__.py @@ -24,12 +24,14 @@ from . import ca from . import ssh +from . import upgrade @util.export def createPlugins(context): ca.Plugin(context=context) ssh.Plugin(context=context) + upgrade.Plugin(context=context) # vim: expandtab tabstop=4 shiftwidth=4 diff --git a/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/upgrade.py b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/upgrade.py new file mode 100644 index 0000000..cb3974f --- /dev/null +++ b/packaging/setup/plugins/ovirt-engine-setup/ovirt-engine/pki/upgrade.py @@ -0,0 +1,52 @@ +# +# ovirt-engine-setup -- ovirt engine setup +# Copyright (C) 2014 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + + +"""ssh plugin.""" + + +import os +import gettext +_ = lambda m: gettext.dgettext(message=m, domain='ovirt-engine-setup') + + +from otopi import util +from otopi import plugin + + +from ovirt_engine_setup import constants as osetupcons + + [email protected] +class Plugin(plugin.PluginBase): + + @plugin.event( + stage=plugin.Stages.STAGE_MISC, + ) + def _misc(self): + # + # Lock file was owned by root while + # new vesions requires owner match ca + # private key. + # Remove lock file, it will be created + # at next attempt. + # + if os.path.exists(osetupcons.FileLocations.OVIRT_ENGINE_PKI_LOCKFILE): + os.unlink(osetupcons.FileLocations.OVIRT_ENGINE_PKI_LOCKFILE) + + +# vim: expandtab tabstop=4 shiftwidth=4 -- To view, visit http://gerrit.ovirt.org/25629 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
