pgreco / rpms / ipa

Forked from forks/areguera/rpms/ipa 4 years ago
Clone
Source Code
GIT

Blame SOURCES/0045-Fix-permission-of-public-files-in-upgrader.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client
  1.   ad15452a3b4ec0185564abc313df61778690887e
  2.   SOURCES
  3.   0045-Fix-permission-of-public-files-in-upgrader.patch
Blob History Raw
f65af0 
From 19bfd7c36d6d087f0cd7def5eb4d8850c395fb4b Mon Sep 17 00:00:00 2001
f65af0 
From: Christian Heimes <cheimes@redhat.com>
f65af0 
Date: Fri, 22 Jun 2018 12:53:19 +0200
f65af0 
Subject: [PATCH] Fix permission of public files in upgrader
f65af0
f65af0 
Make CA bundles, certs, and cert directories world-accessible in
f65af0 
upgrader.
f65af0
f65af0 
Fixes: https://pagure.io/freeipa/issue/7594
f65af0 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
f65af0 
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
f65af0 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
f65af0 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
f65af0 
---
f65af0 
 ipaserver/install/server/upgrade.py | 31 +++++++++++++++++++++++++++++
f65af0 
 1 file changed, 31 insertions(+)
f65af0
f65af0 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
f65af0 
index 4e5096e598cd10e3bd98f91946b4d26377d0de6e..7faaacd5d2f0c39bcf744c288b283009ccb3ead5 100644
f65af0 
--- a/ipaserver/install/server/upgrade.py
f65af0 
+++ b/ipaserver/install/server/upgrade.py
f65af0 
@@ -4,12 +4,14 @@
f65af0
f65af0 
 from __future__ import print_function, absolute_import
f65af0
f65af0 
+import errno
f65af0 
 import logging
f65af0 
 import re
f65af0 
 import os
f65af0 
 import shutil
f65af0 
 import pwd
f65af0 
 import fileinput
f65af0 
+import stat
f65af0 
 import sys
f65af0 
 import tempfile
f65af0 
 from contextlib import contextmanager
f65af0 
@@ -1656,6 +1658,34 @@ def update_replica_config(db_suffix):
f65af0 
         logger.info("Updated entry %s", dn)
f65af0
f65af0
f65af0 
+def fix_permissions():
f65af0 
+    """Fix permission of public accessible files and directories
f65af0 
+
f65af0 
+    In case IPA was installed with restricted umask, some public files and
f65af0 
+    directories may not be readable and accessible.
f65af0 
+
f65af0 
+    See https://pagure.io/freeipa/issue/7594
f65af0 
+    """
f65af0 
+    candidates = [
f65af0 
+        paths.HTTPD_ALIAS_DIR,
f65af0 
+        paths.CA_BUNDLE_PEM,
f65af0 
+        paths.KDC_CA_BUNDLE_PEM,
f65af0 
+        paths.IPA_CA_CRT,
f65af0 
+        paths.IPA_P11_KIT,
f65af0 
+    ]
f65af0 
+    for filename in candidates:
f65af0 
+        try:
f65af0 
+            s = os.stat(filename)
f65af0 
+        except OSError as e:
f65af0 
+            if e.errno != errno.ENOENT:
f65af0 
+                raise
f65af0 
+            continue
f65af0 
+        mode = 0o755 if stat.S_ISDIR(s.st_mode) else 0o644
f65af0 
+        if mode != stat.S_IMODE(s.st_mode):
f65af0 
+            logger.debug("Fix permission of %s to %o", filename, mode)
f65af0 
+            os.chmod(filename, mode)
f65af0 
+
f65af0 
+
f65af0 
 def upgrade_configuration():
f65af0 
     """
f65af0 
     Execute configuration upgrade of the IPA services
f65af0 
@@ -1677,6 +1707,7 @@ def upgrade_configuration():
f65af0 
         ds.start(ds_serverid)
f65af0
f65af0 
     check_certs()
f65af0 
+    fix_permissions()
f65af0
f65af0 
     auto_redirect = find_autoredirect(fqdn)
f65af0 
     sub_dict = dict(
f65af0 
--
f65af0 
2.17.1
f65af0

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation