Re: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask

[Rob Crittenden]

Martin Kosek wrote:

On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote:

On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote:

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282



Self-Nack. Even though install didn't fail, I didn't notice there are
still issues with other files. For example dirsrv schema ldifs. This
needs to be fixed.

Martin


Sending a fixed version of the patch. See ticket for instructions how to
test.

Martin


Ack, pushed to master and ipa-2-0

rob

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask

[Martin Kosek]

On Fri, 2011-06-17 at 15:37 +0200, Martin Kosek wrote:
 On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote:
  Make sure that IPA can be installed with root umask set to secure
  value 077. ipa-server-install was failing in DS configuration phase
  when dirsrv tried to read boot.ldif created during installation.
  
  https://fedorahosted.org/freeipa/ticket/1282
  
 
 Self-Nack. Even though install didn't fail, I didn't notice there are
 still issues with other files. For example dirsrv schema ldifs. This
 needs to be fixed.
 
 Martin

Sending a fixed version of the patch. See ticket for instructions how to
test.

Martin
From 87c2caf22d8077921647dbba8422f502e304de21 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 17 Jun 2011 14:19:45 +0200
Subject: [PATCH] Fix IPA install for secure umask

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282
---
 install/tools/ipa-replica-install |   28 +++---
 install/tools/ipa-server-install  |   28 +++---
 install/tools/ipa-upgradeconfig   |6 -
 ipaserver/install/dsinstance.py   |   39 +---
 4 files changed, 60 insertions(+), 41 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index c39d992de8c42a1d1e1e641e541aacb705946d40..16f849567b4ac3e85e62c7aec6b4d24163b54a18 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -443,18 +443,22 @@ def main():
 
 # Create the management framework config file
 # Note: We must do this before bootstraping and finalizing ipalib.api
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
-fd.write(realm= + config.realm_name + \n)
-fd.write(domain= + config.domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
-if ipautil.file_exists(config.dir + /cacert.p12):
-fd.write(enable_ra=True\n)
-fd.write(ra_plugin=dogtag\n)
-fd.write(mode=production\n)
-fd.close()
+old_umask = os.umask(022)   # must be readable for httpd
+try:
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(config.realm_name) + \n)
+fd.write(realm= + config.realm_name + \n)
+fd.write(domain= + config.domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % config.host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(config.realm_name))
+if ipautil.file_exists(config.dir + /cacert.p12):
+fd.write(enable_ra=True\n)
+fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
+fd.close()
+finally:
+os.umask(old_umask)
 
 api.bootstrap(in_server=True)
 api.finalize()
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index 886d391a26664faedb8fda084f4dd90ed5540e90..6998b4b203a9f6a36d7df67eb9b196230bd20bb3 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -676,18 +676,22 @@ def main():
 logging.debug(will use dns_forwarders: %s\n % str(dns_forwarders))
 
 # Create the management framework config file and finalize api
-fd = open(/etc/ipa/default.conf, w)
-fd.write([global]\n)
-fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
-fd.write(realm= + realm_name + \n)
-fd.write(domain= + domain_name + \n)
-fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
-fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
-fd.write(enable_ra=True\n)
-if not options.selfsign:
-fd.write(ra_plugin=dogtag\n)
-fd.write(mode=production\n)
-fd.close()
+old_umask = os.umask(022)   # must be readable for httpd
+try:
+fd = open(/etc/ipa/default.conf, w)
+fd.write([global]\n)
+fd.write(basedn= + util.realm_to_suffix(realm_name) + \n)
+fd.write(realm= + realm_name + \n)
+fd.write(domain= + domain_name + \n)
+fd.write(xmlrpc_uri=https://%s/ipa/xml\n; % host_name)
+fd.write(ldap_uri=ldapi://%%2fvar%%2frun%%2fslapd-%s.socket\n % dsinstance.realm_to_serverid(realm_name))
+fd.write(enable_ra=True\n)
+if not options.selfsign:
+fd.write(ra_plugin=dogtag\n)
+fd.write(mode=production\n)
+fd.close()
+finally:
+os.umask(old_umask)
 
 api.bootstrap(**cfg)
 api.finalize()
diff --git a/install/tools/ipa-upgradeconfig 

[Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask

[Martin Kosek]

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282

From 34f509c968195aaad0088d302374066ba56ce391 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Fri, 17 Jun 2011 14:19:45 +0200
Subject: [PATCH] Fix IPA install for secure umask

Make sure that IPA can be installed with root umask set to secure
value 077. ipa-server-install was failing in DS configuration phase
when dirsrv tried to read boot.ldif created during installation.

https://fedorahosted.org/freeipa/ticket/1282
---
 ipaserver/install/dsinstance.py |   11 +++
 1 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 845e1e253503ff660ef3976078bc1e0f5439b52a..11078f628fcf52c235c8b71080532e8d20324557 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -358,10 +358,13 @@ class DsInstance(service.Service):
 self.sub_dict['BASEDC'] = self.realm_name.split('.')[0].lower()
 base_txt = ipautil.template_str(BASE_TEMPLATE, self.sub_dict)
 logging.debug(base_txt)
-base_fd = file(/var/lib/dirsrv/boot.ldif, w)
-base_fd.write(base_txt)
-base_fd.flush()
-base_fd.close()
+old_umask = os.umask(022)   # must be readable for dirsrv
+try:
+base_fd = open(/var/lib/dirsrv/boot.ldif, w)
+base_fd.write(base_txt)
+base_fd.close()
+finally:
+os.umask(old_umask)
 
 inf_txt = ipautil.template_str(INF_TEMPLATE, self.sub_dict)
 logging.debug(writing inf template)
-- 
1.7.5.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 086 Fix IPA install for secure umask

[Martin Kosek]

On Fri, 2011-06-17 at 14:44 +0200, Martin Kosek wrote:
 Make sure that IPA can be installed with root umask set to secure
 value 077. ipa-server-install was failing in DS configuration phase
 when dirsrv tried to read boot.ldif created during installation.
 
 https://fedorahosted.org/freeipa/ticket/1282
 

Self-Nack. Even though install didn't fail, I didn't notice there are
still issues with other files. For example dirsrv schema ldifs. This
needs to be fixed.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel