LGTM On Feb 28 09:32, Helga Velroyen wrote: > This patch makes sure that the client certificate gets > the right permissions and owner when created. Additionally > it enhances the 'ensure_dirs' script to correct the > permissions in case they are broken for whatever reason. > > Signed-off-by: Helga Velroyen <[email protected]> > --- > lib/backend.py | 4 +++- > lib/tools/ensure_dirs.py | 2 ++ > lib/utils/security.py | 9 +++++++-- > lib/utils/x509.py | 10 ++++++++-- > 4 files changed, 20 insertions(+), 5 deletions(-) > > diff --git a/lib/backend.py b/lib/backend.py > index 6a68b2c..6da1ca9 100644 > --- a/lib/backend.py > +++ b/lib/backend.py > @@ -1192,6 +1192,7 @@ def GetCryptoTokens(token_requests): > @return: list of tuples of the token type and the public crypto token > > """ > + getents = runtime.GetEnts() > _VALID_CERT_FILES = [pathutils.NODED_CERT_FILE, > pathutils.NODED_CLIENT_CERT_FILE, > pathutils.NODED_CLIENT_CERT_FILE_TMP] > @@ -1237,7 +1238,8 @@ def GetCryptoTokens(token_requests): > > utils.GenerateNewSslCert( > True, cert_filename, serial_no, > - "Create new client SSL certificate in %s." % cert_filename) > + "Create new client SSL certificate in %s." % cert_filename, > + uid=getents.masterd_uid, gid=getents.masterd_gid) > tokens.append((token_type, > utils.GetCertificateDigest( > cert_filename=cert_filename))) > diff --git a/lib/tools/ensure_dirs.py b/lib/tools/ensure_dirs.py > index c173f43..7ecd3f8 100644 > --- a/lib/tools/ensure_dirs.py > +++ b/lib/tools/ensure_dirs.py > @@ -151,6 +151,8 @@ def GetPaths(): > getent.noded_uid, getent.masterd_gid, False), > (pathutils.NODED_CERT_FILE, FILE, pathutils.NODED_CERT_MODE, > getent.masterd_uid, getent.masterd_gid, False), > + (pathutils.NODED_CLIENT_CERT_FILE, FILE, pathutils.NODED_CERT_MODE, > + getent.masterd_uid, getent.masterd_gid, False), > (pathutils.WATCHER_PAUSEFILE, FILE, 0644, > getent.masterd_uid, getent.masterd_gid, False), > ] > diff --git a/lib/utils/security.py b/lib/utils/security.py > index 0d39c54..7b70cbb 100644 > --- a/lib/utils/security.py > +++ b/lib/utils/security.py > @@ -100,7 +100,8 @@ def > GetCertificateDigest(cert_filename=pathutils.NODED_CLIENT_CERT_FILE): > return cert.digest("sha1") > > > -def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg): > +def GenerateNewSslCert(new_cert, cert_filename, serial_no, log_msg, > + uid=-1, gid=-1): > """Creates a new SSL certificate and backups the old one. > > @type new_cert: boolean > @@ -111,6 +112,10 @@ def GenerateNewSslCert(new_cert, cert_filename, > serial_no, log_msg): > @param serial_no: serial number of the certificate > @type log_msg: string > @param log_msg: log message to be written on certificate creation > + @type uid: int > + @param uid: the user ID of the user who will be owner of the certificate > file > + @type gid: int > + @param gid: the group ID of the group who will own the certificate file > > """ > cert_exists = os.path.exists(cert_filename) > @@ -119,7 +124,7 @@ def GenerateNewSslCert(new_cert, cert_filename, > serial_no, log_msg): > io.CreateBackup(cert_filename) > > logging.debug(log_msg) > - x509.GenerateSelfSignedSslCert(cert_filename, serial_no) > + x509.GenerateSelfSignedSslCert(cert_filename, serial_no, uid=uid, > gid=gid) > > > def VerifyCertificate(filename): > diff --git a/lib/utils/x509.py b/lib/utils/x509.py > index a20162e..b2820da 100644 > --- a/lib/utils/x509.py > +++ b/lib/utils/x509.py > @@ -288,7 +288,8 @@ def GenerateSelfSignedX509Cert(common_name, validity, > serial_no): > > def GenerateSelfSignedSslCert(filename, serial_no, > common_name=constants.X509_CERT_CN, > - validity=constants.X509_CERT_DEFAULT_VALIDITY): > + validity=constants.X509_CERT_DEFAULT_VALIDITY, > + uid=-1, gid=-1): > """Legacy function to generate self-signed X509 certificate. > > @type filename: str > @@ -297,6 +298,10 @@ def GenerateSelfSignedSslCert(filename, serial_no, > @param common_name: commonName value > @type validity: int > @param validity: validity of certificate in number of days > + @type uid: int > + @param uid: the user ID of the user who will be owner of the certificate > file > + @type gid: int > + @param gid: the group ID of the group who will own the certificate file > @return: a tuple of strings containing the PEM-encoded private key and > certificate > > @@ -307,7 +312,8 @@ def GenerateSelfSignedSslCert(filename, serial_no, > (key_pem, cert_pem) = GenerateSelfSignedX509Cert( > common_name, validity * 24 * 60 * 60, serial_no) > > - utils_io.WriteFile(filename, mode=0400, data=key_pem + cert_pem) > + utils_io.WriteFile(filename, mode=0440, data=key_pem + cert_pem, > + uid=uid, gid=gid) > return (key_pem, cert_pem) > > > -- > 1.9.0.279.gdc9e3eb >
-- Jose Antonio Lopes Ganeti Engineering Google Germany GmbH Dienerstr. 12, 80331, München Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores Steuernummer: 48/725/00206 Umsatzsteueridentifikationsnummer: DE813741370
