On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote:
On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote:
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
Self-Nack. Even though install didn't fail, I didn't notice there are
still issues with other files. For example dirsrv schema ldifs. This
needs to be fixed.
Martin
Sending a fixed version of the patch. See ticket for instructions how to
test.
Martin
From 87c2caf22d8077921647dbba8422f502e304de21 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 17 Jun 2011 14:19:45 +0200
Subject: [PATCH] Fix IPA install for secure umask
Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.
https://fedorahosted.org/freeipa/ticket/1282
---
install/tools/ipa-replica-install | 28 +++---
install/tools/ipa-server-install | 28 +++---
install/tools/ipa-upgradeconfig |6 -
ipaserver/install/dsinstance.py | 39 +---
4 files changed, 60 insertions(+), 41 deletions(-)
diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c39d992de8c42a1d1e1e641e541aacb705946d40..16f849567b4ac3e85e62c7aec6b4d24163b54a18 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -443,18 +443,22 @@ def main():
# Create the management framework config file
# Note: We must do this before bootstraping and finalizing ipalib.api
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
-fd.write(realm= + config.realm_name + \n)
-fd.write(domain= + config.domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
-if ipautil.file_exists(config.dir + /cacert.p12):
-fd.write(enable_ra=True\n)
-fd.write(ra_plugin=dogtag\n)
-fd.write(mode=production\n)
-fd.close()
+old_umask = os.umask(022) # must be readable for httpd
+try:
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
+fd.write(realm= + config.realm_name + \n)
+fd.write(domain= + config.domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
+if ipautil.file_exists(config.dir + /cacert.p12):
+fd.write(enable_ra=True\n)
+fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
+fd.close()
+finally:
+os.umask(old_umask)
api.bootstrap(in_server=True)
api.finalize()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 886d391a26664faedb8fda084f4dd90ed5540e90..6998b4b203a9f6a36d7df67eb9b196230bd20bb3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -676,18 +676,22 @@ def main():
logging.debug(will use dns_forwarders: %s\n % str(dns_forwarders))
# Create the management framework config file and finalize api
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
-fd.write(realm= + realm_name + \n)
-fd.write(domain= + domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
-fd.write(enable_ra=True\n)
-if not options.selfsign:
-fd.write(ra_plugin=dogtag\n)
-fd.write(mode=production\n)
-fd.close()
+old_umask = os.umask(022) # must be readable for httpd
+try:
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
+fd.write(realm= + realm_name + \n)
+fd.write(domain= + domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
+fd.write(enable_ra=True\n)
+if not options.selfsign:
+fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
+fd.close()
+finally:
+os.umask(old_umask)
api.bootstrap(**cfg)
api.finalize()
diff --git a/install/tools/ipa-upgradeconfig