On 05/15/2013 12:04 PM, Tomas Babej wrote:
On 05/15/2013 11:40 AM, Ana Krivokapic wrote:
Hello,
See the commit message for details.
https://fedorahosted.org/freeipa/ticket/3594
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
+ def regenerate_ca_file(self, ca_file):
+ dm_pwd_fd, dm_pwd_fname = tempfile.mkstemp()
+ keydb_pwd_fd, keydb_pwd_fname = tempfile.mkstemp()
+
+ os.write(dm_pwd_fd, self.dirman_password)
+ os.close(dm_pwd_fd)
+
+ keydb_pwd = ''
+ with open('/etc/pki/pki-tomcat/password.conf') as f:
+ for line in f.readlines():
+ key, value = line.strip().split('=')
+ if key == 'internal':
+ keydb_pwd = value
+ break
+
+ os.write(keydb_pwd_fd, keydb_pwd)
+ os.close(keydb_pwd_fd)
+
+ ipautil.run([
+ '/usr/bin/PKCS12Export',
+ '-d', '/etc/pki/pki-tomcat/alias/',
+ '-p', keydb_pwd_fname,
+ '-w', dm_pwd_fname,
+ '-o', ca_file
+ ])
+
If the PKCS12Export call fails (returns non-zero code), we raise
exception here, and the temporary files are never removed.
+ os.remove(dm_pwd_fname)
+ os.remove(keydb_pwd_fname)
This might not be a big issue since mkstemp() call creates temporary
file readable and writable only be given user ID,
however, we should not leave files with passwords in plaintext on the
disk if it is not necessary.
This can be easily prevented by wrapping the call up with
try-chatch-finally block, or using raiseonerr=False options of run method.
Or by using ipautil.write_tmp_file() – the file it creates is always
removed after it's closed/garbage collected, and it has a name attribute.
--
Petr³
_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
