subject:"\[Freeipa\-devel\] \[freeipa PR#471\]\[synchronized\] Fix some privilege separation regressions"

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py | 10 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e43ec7b..f951770 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-db.create_db(backup=True)
+db.create_db(mode=0o755, backup=True)
 os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 73387cf..b22c3c1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 """
 dirmode = 0o750
 filemode = 0o640
+pwdfilemode = 0o640
 if mode is not None:
 dirmode = mode
 filemode = mode & 0o666
+pwdfilemode = mode & 0o660
 
 uid = -1
 gid = -1
@@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 # Create the password file for this db
 with io.open(os.open(self.pwd_file,
  os.O_CREAT | os.O_WRONLY,
- filemode), 'w', closefd=True) as f:
+ pwdfilemode), 'w', closefd=True) as f:
 f.write(ipautil.ipa_generate_password())
 f.flush()
 
@@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 if os.path.exists(path):
 if uid != -1 or gid != -1:
 os.chown(path, uid, gid)
-os.chmod(path, filemode)
+if path == self.pwd_file:
+new_mode = pwdfilemode
+else:
+new_mode = filemode
+os.chmod(path, new_mode)
 tasks.restore_context(path)
 
 def list_certs(self):

From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/plugins/update_ra_cert_store.py | 4 
 ipaserver/install/plugins/upload_cacrt.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index d7d28fd..c3aef6f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -22,6 +22,10 @@ class update_ra_cert_store(Updater):
 """
 
 def execute(self, **options):
+ca_enabled = self.api.Command.ca_is_enabled()['result']
+if not ca_enabled:
+return False, []
+
 olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
 if not olddb.has_nickname('ipaCert'):
 # Nothign to do
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 1a78108..425ea63 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see .
 
 from ipalib.install import certstore
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 from ipalib import Registry, errors
 from ipalib import Updater
@@ -34,7 +35,7 @@ class update_upload_cacrt(Updater):
 """
 
 def execute(self, **options):
-db = certs.CertDB(self.api.env.realm)
+db =

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

2017-02-20 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From 997191f2ea9f8b6066012b98283204e7a5c56c7e Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/5] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py | 10 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index e43ec7b..f951770 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,7 +2284,7 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-db.create_db(backup=True)
+db.create_db(mode=0o755, backup=True)
 os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 73387cf..b22c3c1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -124,9 +124,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 """
 dirmode = 0o750
 filemode = 0o640
+pwdfilemode = 0o640
 if mode is not None:
 dirmode = mode
 filemode = mode & 0o666
+pwdfilemode = mode & 0o660
 
 uid = -1
 gid = -1
@@ -147,7 +149,7 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 # Create the password file for this db
 with io.open(os.open(self.pwd_file,
  os.O_CREAT | os.O_WRONLY,
- filemode), 'w', closefd=True) as f:
+ pwdfilemode), 'w', closefd=True) as f:
 f.write(ipautil.ipa_generate_password())
 f.flush()
 
@@ -162,7 +164,11 @@ def create_db(self, user=None, group=None, mode=None, backup=False):
 if os.path.exists(path):
 if uid != -1 or gid != -1:
 os.chown(path, uid, gid)
-os.chmod(path, filemode)
+if path == self.pwd_file:
+new_mode = pwdfilemode
+else:
+new_mode = filemode
+os.chmod(path, new_mode)
 tasks.restore_context(path)
 
 def list_certs(self):

From 67d63be7fca7938bf60f1c199b0e570e2e111af3 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/5] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaserver/install/plugins/update_ra_cert_store.py | 4 
 ipaserver/install/plugins/upload_cacrt.py | 3 ++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/plugins/update_ra_cert_store.py b/ipaserver/install/plugins/update_ra_cert_store.py
index d7d28fd..c3aef6f 100644
--- a/ipaserver/install/plugins/update_ra_cert_store.py
+++ b/ipaserver/install/plugins/update_ra_cert_store.py
@@ -22,6 +22,10 @@ class update_ra_cert_store(Updater):
 """
 
 def execute(self, **options):
+ca_enabled = self.api.Command.ca_is_enabled()['result']
+if not ca_enabled:
+return False, []
+
 olddb = certdb.NSSDatabase(nssdir=paths.HTTPD_ALIAS_DIR)
 if not olddb.has_nickname('ipaCert'):
 # Nothign to do
diff --git a/ipaserver/install/plugins/upload_cacrt.py b/ipaserver/install/plugins/upload_cacrt.py
index 1a78108..425ea63 100644
--- a/ipaserver/install/plugins/upload_cacrt.py
+++ b/ipaserver/install/plugins/upload_cacrt.py
@@ -18,6 +18,7 @@
 # along with this program.  If not, see .
 
 from ipalib.install import certstore
+from ipaplatform.paths import paths
 from ipaserver.install import certs
 from ipalib import Registry, errors
 from ipalib import Updater
@@ -34,7 +35,7 @@ class update_upload_cacrt(Updater):
 """
 
 def execute(self, **options):
-db = certs.CertDB(self.api.env.realm)
+db =

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

[Freeipa-devel] [freeipa PR#471][synchronized] Fix some privilege separation regressions

2 matches

Site Navigation

Mail list logo

Footer information