URL: https://github.com/freeipa/freeipa/pull/5000 Author: flo-renaud Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs Action: opened
PR body: """ This PR was opened automatically because PR #4989 was pushed to master and backport to ipa-4-8 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5000/head:pr5000 git checkout pr5000
From 80792c240fd2e2f184977589e1f9a9b27e22f906 Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 4 Aug 2020 15:09:56 -0400 Subject: [PATCH 1/2] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations It was previously being set to 0444 which triggered a warning in freeipa-healthcheck. Even root needs DAC_OVERRIDE capability to write to a 0o444 file which may not be available in some environments. https://pagure.io/freeipa/issue/8441 --- ipaserver/install/certs.py | 2 +- ipaserver/install/server/install.py | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 22ee79bd1d..51d9f92219 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -329,7 +329,7 @@ def export_ca_cert(self, nickname, create_pkcs12=False): ipautil.backup_file(cacert_fname) root_nicknames = self.find_root_cert(nickname)[:-1] with open(cacert_fname, "w") as f: - os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) + os.fchmod(f.fileno(), 0o644) for root in root_nicknames: result = self.run_certutil(["-L", "-n", root, "-a"], capture_output=True) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b53c58e2a6..6a593602fc 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,8 @@ def install(installer): ca.install_step_0(False, None, options, custodia=custodia) else: - # Put the CA cert where other instances expect it - x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) - os.chmod(paths.IPA_CA_CRT, 0o444) + # /etc/ipa/ca.crt is created as a side-effect of + # dsinstance::enable_ssl() via export_ca_cert() if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) From 83ddfbfd6db62a45852959af8440d9c35532813a Mon Sep 17 00:00:00 2001 From: Rob Crittenden <rcrit...@redhat.com> Date: Tue, 4 Aug 2020 15:12:20 -0400 Subject: [PATCH 2/2] ipatests: Check permissions of /etc/ipa/ca.crt new installations It should be 0644 root:root for both CA-ful and CA-less installs. https://pagure.io/freeipa/issue/8441 --- ipatests/test_integration/test_caless.py | 8 ++++++++ ipatests/test_integration/test_installation.py | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 1ea7d9896f..16dfbb320b 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -394,6 +394,14 @@ def verify_installation(self): host, cert_from_ldap.public_bytes(x509.Encoding.PEM)) assert cert_from_ldap == expected_cacrt + result = host.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + (owner, group, mode) = result.stdout_text.strip().split(':') + assert owner == "root" + assert group == "root" + assert mode == "644" + # Verify certmonger was not started result = host.run_command(['getcert', 'list'], raiseonerr=False) assert result.returncode == 0 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 100a5a7666..fb19900838 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -346,6 +346,16 @@ def test_certmonger_reads_token_HSM(self): status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING" + def test_ipa_ca_crt_permissions(self): + """Verify that /etc/ipa/ca.cert is mode 0644 root:root""" + result = self.master.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + out = str(result.stdout_text.strip()) + (owner, group, mode) = out.split(':') + assert mode == "644" + assert owner == "root" + assert group == "root" class TestInstallWithCA_KRA1(InstallTestBase1):
_______________________________________________ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org