[Freeipa-devel] [freeipa PR#5000][opened] [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 in CA-less installs

Thu, 06 Aug 2020 03:52:07 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5000
Author: flo-renaud
 Title: #5000: [Backport][ipa-4-8] Set permissions of /etc/ipa/ca.crt to 0644 
in CA-less installs
Action: opened

PR body:
"""
This PR was opened automatically because PR #4989 was pushed to master and 
backport to ipa-4-8 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5000/head:pr5000
git checkout pr5000

From 80792c240fd2e2f184977589e1f9a9b27e22f906 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 4 Aug 2020 15:09:56 -0400
Subject: [PATCH 1/2] Set mode of /etc/ipa/ca.crt to 0644 in CA-less
 installations

It was previously being set to 0444 which triggered a warning
in freeipa-healthcheck.

Even root needs DAC_OVERRIDE capability to write to a 0o444 file
which may not be available in some environments.

https://pagure.io/freeipa/issue/8441
---
 ipaserver/install/certs.py          | 2 +-
 ipaserver/install/server/install.py | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index 22ee79bd1d..51d9f92219 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -329,7 +329,7 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
         ipautil.backup_file(cacert_fname)
         root_nicknames = self.find_root_cert(nickname)[:-1]
         with open(cacert_fname, "w") as f:
-            os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
+            os.fchmod(f.fileno(), 0o644)
             for root in root_nicknames:
                 result = self.run_certutil(["-L", "-n", root, "-a"],
                                            capture_output=True)
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b53c58e2a6..6a593602fc 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -891,9 +891,8 @@ def install(installer):
 
         ca.install_step_0(False, None, options, custodia=custodia)
     else:
-        # Put the CA cert where other instances expect it
-        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
-        os.chmod(paths.IPA_CA_CRT, 0o444)
+        # /etc/ipa/ca.crt is created as a side-effect of
+        # dsinstance::enable_ssl() via export_ca_cert()
 
         if not options.no_pkinit:
             x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)

From 83ddfbfd6db62a45852959af8440d9c35532813a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcrit...@redhat.com>
Date: Tue, 4 Aug 2020 15:12:20 -0400
Subject: [PATCH 2/2] ipatests: Check permissions of /etc/ipa/ca.crt new
 installations

It should be 0644 root:root for both CA-ful and CA-less installs.

https://pagure.io/freeipa/issue/8441
---
 ipatests/test_integration/test_caless.py       |  8 ++++++++
 ipatests/test_integration/test_installation.py | 10 ++++++++++
 2 files changed, 18 insertions(+)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 1ea7d9896f..16dfbb320b 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -394,6 +394,14 @@ def verify_installation(self):
                          host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
             assert cert_from_ldap == expected_cacrt
 
+            result = host.run_command(
+                ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+            )
+            (owner, group, mode) = result.stdout_text.strip().split(':')
+            assert owner == "root"
+            assert group == "root"
+            assert mode == "644"
+
             # Verify certmonger was not started
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
             assert result.returncode == 0
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 100a5a7666..fb19900838 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -346,6 +346,16 @@ def test_certmonger_reads_token_HSM(self):
         status = tasks.wait_for_request(self.master, request_id[0], 300)
         assert status == "MONITORING"
 
+    def test_ipa_ca_crt_permissions(self):
+        """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
+        result = self.master.run_command(
+            ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
+        )
+        out = str(result.stdout_text.strip())
+        (owner, group, mode) = out.split(':')
+        assert mode == "644"
+        assert owner == "root"
+        assert group == "root"
 
 class TestInstallWithCA_KRA1(InstallTestBase1):
 

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org

Reply via email to