rpms / freeradius

Clone
Source Code
GIT

Blame SOURCES/freeradius-bootstrap-run-only-once.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-3.0 c8-stream-3.0 c8s-stream-3.0 c9 c9-beta
  1.   ddb60b9667dedf91886b8aef0aac74ea0a3ad343
  2.   SOURCES
  3.   freeradius-bootstrap-run-only-once.patch
Blob History Raw
ddb60b 
Author: Antonio Torres <antorres@redhat.com>
ddb60b 
Date:   Wed Jul 20 2021
ddb60b 
Subject: [PATCH] ensure bootstrap script is run only once
ddb60b
ddb60b 
	The bootstrap script should only run once. By checking if there are
ddb60b 
	certificates in the directory, we can exit early if certificates were
ddb60b 
	already generated.
ddb60b
ddb60b 
	Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1954521
ddb60b 
	Signed-off-by: Antonio Torres antorres@redhat.com
ddb60b 
---
ddb60b 
 raddb/certs/README    | 16 ++++++----------
ddb60b 
 raddb/certs/bootstrap | 18 ++++++++++++------
ddb60b 
 2 files changed, 18 insertions(+), 16 deletions(-)
ddb60b
ddb60b 
diff --git a/raddb/certs/README b/raddb/certs/README
ddb60b 
index 6288921da1..32413964dd 100644
ddb60b 
--- a/raddb/certs/README
ddb60b 
+++ b/raddb/certs/README
ddb60b 
@@ -29,17 +29,13 @@ the "ca_file", you permit them to masquerade as you, to authenticate
ddb60b 
 your users, and to issue client certificates for EAP-TLS.
ddb60b
ddb60b 
   If FreeRADIUS was configured to use OpenSSL, then simply starting
ddb60b 
-the server in root in debugging mode should also create test
ddb60b 
-certificates, i.e.:
ddb60b 
+the server in root mode should also create test certificates.
ddb60b
ddb60b 
-$ radiusd -X
ddb60b 
-
ddb60b 
-  That will cause the EAP-TLS module to run the "bootstrap" script in
ddb60b 
-this directory.  The script will be executed only once, the first time
ddb60b 
-the server has been installed on a particular machine.  This bootstrap
ddb60b 
-script SHOULD be run on installation of any pre-built binary package
ddb60b 
-for your OS.  In any case, the script will ensure that it is not run
ddb60b 
-twice, and that it does not over-write any existing certificates.
ddb60b 
+  The start of FreeRADIUS will cause to run the "bootstrap" script.
ddb60b 
+The script will be executed during every start of FreeRADIUS via systemd but
ddb60b 
+the script will ensure that it does not overwrite any existing certificates.
ddb60b 
+Ideally, the bootstrap script file should be deleted after new testing certificates
ddb60b 
+have been generated.
ddb60b
ddb60b 
   If you already have CA and server certificates, rename (or delete)
ddb60b 
 this directory, and create a new "certs" directory containing your
ddb60b 
diff --git a/raddb/certs/bootstrap b/raddb/certs/bootstrap
ddb60b 
index 0f719aafd4..92254dc936 100755
ddb60b 
--- a/raddb/certs/bootstrap
ddb60b 
+++ b/raddb/certs/bootstrap
ddb60b 
@@ -1,12 +1,18 @@
ddb60b 
 #!/bin/sh
ddb60b 
 #
ddb60b 
-#  This is a wrapper script to create default certificates when the
ddb60b 
-#  server first starts in debugging mode.  Once the certificates have been
ddb60b 
-#  created, this file should be deleted.
ddb60b 
+# Bootstrap script should be run only once. If there are already certificates
ddb60b 
+# generated, skip the execution.
ddb60b 
+#
ddb60b 
+cd `dirname $0`
ddb60b 
+if [ $(ls -l *.{pem,crt,key} 2>/dev/null | wc -l) != 0 ]; then
ddb60b 
+  exit 0
ddb60b 
+fi
ddb60b 
+
ddb60b 
 #
ddb60b 
-#  Ideally, this program should be run as part of the installation of any
ddb60b 
-#  binary package.  The installation should also ensure that the permissions
ddb60b 
-#  and owners are correct for the files generated by this script.
ddb60b 
+#  This is a wrapper script to create default certificates when the
ddb60b 
+#  server starts via systemd. It should also ensure that the
ddb60b 
+#  permissions and owners are correct for the generated files. Once
ddb60b 
+# the certificates have been created, this file should be deleted.
ddb60b 
 #
ddb60b 
 #  $Id: 0f719aafd4c9abcdefbf547dedb6e7312c535104 $
ddb60b 
 #

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation