URL: https://github.com/freeipa/freeipa/pull/471 Author: HonzaCholasta Title: #471: Fix some privilege separation regressions Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/471/head:pr471 git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 10:57:14 +0100 Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode The NSS database directory is created with mode 640, which causes the IPA client to fail to connect to any IPA server, because it is unable to read trusted CA certificates from the NSS database. Create the directory with mode 644 to fix the issue. https://fedorahosted.org/freeipa/ticket/5959 --- ipaclient/install/client.py | 2 +- ipapython/certdb.py | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py index e43ec7b..f951770 100644 --- a/ipaclient/install/client.py +++ b/ipaclient/install/client.py @@ -2284,7 +2284,7 @@ def install_check(options): def create_ipa_nssdb(): db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR) - db.create_db(backup=True) + db.create_db(mode=0o755, backup=True) os.chmod(db.pwd_file, 0o600) os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644) os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 73387cf..b22c3c1 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False): """ dirmode = 0o750 filemode = 0o640 + pwdfilemode = 0o640 if mode is not None: dirmode = mode filemode = mode & 0o666 + pwdfilemode = mode & 0o660 uid = -1 gid = -1 @@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False): # Create the password file for this db with io.open(os.open(self.pwd_file, os.O_CREAT | os.O_WRONLY, - filemode), 'w', closefd=True) as f: + pwdfilemode), 'w', closefd=True) as f: f.write(ipautil.ipa_generate_password()) f.flush() @@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False): if os.path.exists(path): if uid != -1 or gid != -1: os.chown(path, uid, gid) - os.chmod(path, filemode) + if path == self.pwd_file: + new_mode = pwdfilemode + else: + new_mode = filemode + os.chmod(path, new_mode) tasks.restore_context(path) def list_certs(self): From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:09:04 +0100 Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as /var/lib/ipa/radb is not populated in CA-less. Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in CA-less, as it might be an incorrect certificate from previous CA-ful install, and is not necessary anyway. https://fedorahosted.org/freeipa/ticket/5959 --- ipaserver/install/plugins/update_ra_cert_store.py | 4 ++++ ipaserver/install/plugins/upload_cacrt.py | 3 ++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py index d7d28fd..c3aef6f 100644 --- a/ipaserver/install/plugins/update_ra_cert_store.py +++ b/ipaserver/install/plugins/update_ra_cert_store.py @@ -22,6 +22,10 @@ class update_ra_cert_store(Updater): """ def execute(self, **options): + ca_enabled = self.api.Command.ca_is_enabled()['result'] + if not ca_enabled: + return False, [] + olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR) if not olddb.has_nickname('ipaCert'): # Nothign to do diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py index 1a78108..425ea63 100644 --- a/ipaserver/install/plugins/upload_cacrt.py +++ b/ipaserver/install/plugins/upload_cacrt.py @@ -18,6 +18,7 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. from ipalib.install import certstore +from ipaplatform.paths import paths from ipaserver.install import certs from ipalib import Registry, errors from ipalib import Updater @@ -34,7 +35,7 @@ class update_upload_cacrt(Updater): """ def execute(self, **options): - db = certs.CertDB(self.api.env.realm) + db = certs.CertDB(self.api.env.realm, paths.HTTPD_ALIAS_DIR) ca_cert = None ca_enabled = self.api.Command.ca_is_enabled()['result'] From 4de588f7202aa838cc53eaf35f4b6377625424fd Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:13:13 +0100 Subject: [PATCH 3/5] server upgrade: fix upgrade from pre-4.0 update_ca_renewal_master uses ipaCert certmonger tracking information to decide whether the local server is the CA renewal master or not. The information is lost when migrating from /etc/httpd/alias to /var/lib/ipa/radb in update_ra_cert_store. Make sure update_ra_cert_store is executed after update_ca_renewal_master so that correct information is used. https://fedorahosted.org/freeipa/ticket/5959 --- install/updates/05-pre_upgrade_plugins.update | 1 - install/updates/90-post_upgrade_plugins.update | 2 ++ ipaserver/install/plugins/ca_renewal_master.py | 2 +- 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/updates/05-pre_upgrade_plugins.update b/install/updates/05-pre_upgrade_plugins.update index 19918ef..d0e3eb7 100644 --- a/install/updates/05-pre_upgrade_plugins.update +++ b/install/updates/05-pre_upgrade_plugins.update @@ -8,4 +8,3 @@ plugin: update_referint plugin: update_uniqueness_plugins_to_new_syntax # last -plugin: update_ra_cert_store diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update index 7c672e4..34069e7 100644 --- a/install/updates/90-post_upgrade_plugins.update +++ b/install/updates/90-post_upgrade_plugins.update @@ -15,6 +15,8 @@ plugin: update_idrange_type plugin: update_pacs plugin: update_service_principalalias plugin: update_upload_cacrt +# update_ra_cert_store has to be executed after update_ca_renewal_master +plugin: update_ra_cert_store # last # DNS version 1 diff --git a/ipaserver/install/plugins/ca_renewal_master.py b/ipaserver/install/plugins/ca_renewal_master.py index 4fa4edb..2447a34 100644 --- a/ipaserver/install/plugins/ca_renewal_master.py +++ b/ipaserver/install/plugins/ca_renewal_master.py @@ -74,7 +74,7 @@ def execute(self, **options): return False, [] criteria = { - 'cert-database': paths.IPA_RADB_DIR, + 'cert-database': paths.HTTPD_ALIAS_DIR, 'cert-nickname': 'ipaCert', } request_id = certmonger.get_request_id(criteria) From dc5bacb643a8c27cc210d87206606afcddb8b582 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Thu, 16 Feb 2017 11:19:09 +0100 Subject: [PATCH 4/5] server upgrade: always upgrade KRA agent PEM file Before the KRA agent PEM file is exported in server upgrade, the sysupgrade state file is consulted. This causes the KRA agent PEM file not to be exported to the new location if the upgrade was executed in the past. Do not consult the sysupgrade state file to decide whether to upgrade the KRA agent PEM file or not, the existence of the file is enough to make this decision. https://fedorahosted.org/freeipa/ticket/6675 --- ipaserver/install/server/upgrade.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index e65592c..7642637 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -1386,7 +1386,9 @@ def fix_trust_flags(): def export_kra_agent_pem(): root_logger.info('[Exporting KRA agent PEM file]') - if sysupgrade.get_upgrade_state('http', 'export_kra_agent_pem'): + sysupgrade.remove_upgrade_state('http', 'export_kra_agent_pem') + + if os.path.exists(paths.KRA_AGENT_PEM): root_logger.info("KRA agent PEM file already exported") return @@ -1396,8 +1398,6 @@ def export_kra_agent_pem(): krainstance.export_kra_agent_pem() - sysupgrade.set_upgrade_state('http', 'export_kra_agent_pem', True) - def update_mod_nss_protocol(http): root_logger.info('[Updating mod_nss protocol versions]') From 5889a6c2be929da6e880c2b23dbe83624b2b4383 Mon Sep 17 00:00:00 2001 From: Jan Cholasta <jchol...@redhat.com> Date: Mon, 20 Feb 2017 08:24:47 +0100 Subject: [PATCH 5/5] server upgrade: fix ipa_memcached removal Make sure all sysupgrade state is removed to not confuse a subsequent upgrade or reinstall. https://fedorahosted.org/freeipa/ticket/5959 --- ipaserver/install/server/upgrade.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 7642637..d3bc9db 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -79,11 +79,12 @@ def uninstall_ipa_memcached(): We can't use the full service uninstaller because that will attempt to stop and disable the service which by now doesn't exist. We just want to clean up sysrestore.state to remove all references to - ipa_kpasswd. + ipa_memcached. """ ipa_memcached = service.SimpleServiceInstance('ipa_memcached') enabled = not ipa_memcached.restore_state("enabled") + ipa_memcached.restore_state("running") if enabled is not None and not enabled: ipa_memcached.remove()
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
