On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote: > On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote: > > Make sure that IPA can be installed with root umask set to secure > > value 077. ipa-server-install was failing in DS configuration phase > > when dirsrv tried to read boot.ldif created during installation. > > > > https://fedorahosted.org/freeipa/ticket/1282 > > > > Self-Nack. Even though install didn't fail, I didn't notice there are > still issues with other files. For example dirsrv schema ldifs. This > needs to be fixed. > > Martin
Sending a fixed version of the patch. See ticket for instructions how to test. Martin
>From 87c2caf22d8077921647dbba8422f502e304de21 Mon Sep 17 00:00:00 2001 From: Martin Kosek <mko...@redhat.com> Date: Fri, 17 Jun 2011 14:19:45 +0200 Subject: [PATCH] Fix IPA install for secure umask Make sure that IPA can be installed with root umask set to secure value 077. ipa-server-install was failing in DS configuration phase when dirsrv tried to read boot.ldif created during installation. https://fedorahosted.org/freeipa/ticket/1282 --- install/tools/ipa-replica-install | 28 +++++++++++++++----------- install/tools/ipa-server-install | 28 +++++++++++++++----------- install/tools/ipa-upgradeconfig | 6 ++++- ipaserver/install/dsinstance.py | 39 +++++++++++++++++++++--------------- 4 files changed, 60 insertions(+), 41 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index c39d992de8c42a1d1e1e641e541aacb705946d40..16f849567b4ac3e85e62c7aec6b4d24163b54a18 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -443,18 +443,22 @@ def main(): # Create the management framework config file # Note: We must do this before bootstraping and finalizing ipalib.api - fd = open("/etc/ipa/default.conf", "w") - fd.write("[global]\n") - fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n") - fd.write("realm=" + config.realm_name + "\n") - fd.write("domain=" + config.domain_name + "\n") - fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % config.host_name) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name)) - if ipautil.file_exists(config.dir + "/cacert.p12"): - fd.write("enable_ra=True\n") - fd.write("ra_plugin=dogtag\n") - fd.write("mode=production\n") - fd.close() + old_umask = os.umask(022) # must be readable for httpd + try: + fd = open("/etc/ipa/default.conf", "w") + fd.write("[global]\n") + fd.write("basedn=" + util.realm_to_suffix(config.realm_name) + "\n") + fd.write("realm=" + config.realm_name + "\n") + fd.write("domain=" + config.domain_name + "\n") + fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % config.host_name) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(config.realm_name)) + if ipautil.file_exists(config.dir + "/cacert.p12"): + fd.write("enable_ra=True\n") + fd.write("ra_plugin=dogtag\n") + fd.write("mode=production\n") + fd.close() + finally: + os.umask(old_umask) api.bootstrap(in_server=True) api.finalize() diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index 886d391a26664faedb8fda084f4dd90ed5540e90..6998b4b203a9f6a36d7df67eb9b196230bd20bb3 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -676,18 +676,22 @@ def main(): logging.debug("will use dns_forwarders: %s\n" % str(dns_forwarders)) # Create the management framework config file and finalize api - fd = open("/etc/ipa/default.conf", "w") - fd.write("[global]\n") - fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n") - fd.write("realm=" + realm_name + "\n") - fd.write("domain=" + domain_name + "\n") - fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % host_name) - fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) - fd.write("enable_ra=True\n") - if not options.selfsign: - fd.write("ra_plugin=dogtag\n") - fd.write("mode=production\n") - fd.close() + old_umask = os.umask(022) # must be readable for httpd + try: + fd = open("/etc/ipa/default.conf", "w") + fd.write("[global]\n") + fd.write("basedn=" + util.realm_to_suffix(realm_name) + "\n") + fd.write("realm=" + realm_name + "\n") + fd.write("domain=" + domain_name + "\n") + fd.write("xmlrpc_uri=https://%s/ipa/xml\n"; % host_name) + fd.write("ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n" % dsinstance.realm_to_serverid(realm_name)) + fd.write("enable_ra=True\n") + if not options.selfsign: + fd.write("ra_plugin=dogtag\n") + fd.write("mode=production\n") + fd.close() + finally: + os.umask(old_umask) api.bootstrap(**cfg) api.finalize() diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 0c8d7fcd8b13073797700760848a9362477d23de..4ac3092888b0daa14159d6e789e8e60f425ebb40 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -114,7 +114,11 @@ def check_certs(): if not os.path.exists("/usr/share/ipa/html/ca.crt"): ca_file = "/etc/httpd/alias/cacert.asc" if os.path.exists(ca_file): - shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt") + old_umask = os.umask(022) # make sure its readable by httpd + try: + shutil.copyfile(ca_file, "/usr/share/ipa/html/ca.crt") + finally: + os.umask(old_umask) else: print "Missing Certification Authority file." print "You should place a copy of the CA certificate in /usr/share/ipa/html/ca.crt" diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py index 845e1e253503ff660ef3976078bc1e0f5439b52a..84c90815bd04083ba1192742af2e930aa921f9c1 100644 --- a/ipaserver/install/dsinstance.py +++ b/ipaserver/install/dsinstance.py @@ -358,10 +358,13 @@ class DsInstance(service.Service): self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower() base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict) logging.debug(base_txt) - base_fd = file("/var/lib/dirsrv/boot.ldif", "w") - base_fd.write(base_txt) - base_fd.flush() - base_fd.close() + old_umask = os.umask(022) # must be readable for dirsrv + try: + base_fd = open("/var/lib/dirsrv/boot.ldif", "w") + base_fd.write(base_txt) + base_fd.close() + finally: + os.umask(old_umask) inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict) logging.debug("writing inf template") @@ -394,21 +397,25 @@ class DsInstance(service.Service): os.remove("/var/lib/dirsrv/boot.ldif") def __add_default_schemas(self): - shutil.copyfile(ipautil.SHARE_DIR + "60kerberos.ldif", - schema_dirname(self.serverid) + "60kerberos.ldif") - shutil.copyfile(ipautil.SHARE_DIR + "60samba.ldif", - schema_dirname(self.serverid) + "60samba.ldif") - shutil.copyfile(ipautil.SHARE_DIR + "60ipaconfig.ldif", - schema_dirname(self.serverid) + "60ipaconfig.ldif") - shutil.copyfile(ipautil.SHARE_DIR + "60basev2.ldif", - schema_dirname(self.serverid) + "60basev2.ldif") - shutil.copyfile(ipautil.SHARE_DIR + "60ipasudo.ldif", - schema_dirname(self.serverid) + "60ipasudo.ldif") + pent = pwd.getpwnam(DS_USER) + for schema_fname in ("60kerberos.ldif", + "60samba.ldif", + "60ipaconfig.ldif", + "60basev2.ldif", + "60ipasudo.ldif"): + target_fname = schema_dirname(self.serverid) + schema_fname + shutil.copyfile(ipautil.SHARE_DIR + schema_fname, target_fname) + os.chmod(target_fname, 0440) # read access for dirsrv user/group + os.chown(target_fname, pent.pw_uid, pent.pw_gid) + try: shutil.move(schema_dirname(self.serverid) + "05rfc2247.ldif", schema_dirname(self.serverid) + "05rfc2247.ldif.old") - shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif", - schema_dirname(self.serverid) + "05rfc2247.ldif") + + target_fname = schema_dirname(self.serverid) + "05rfc2247.ldif" + shutil.copyfile(ipautil.SHARE_DIR + "05rfc2247.ldif", target_fname) + os.chmod(target_fname, 0440) + os.chown(target_fname, pent.pw_uid, pent.pw_gid) except IOError: # Does not apply with newer DS releases pass -- 1.7.5.4
_______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
