rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   c706d03efc58df50f9ef5966ea33f81044000f2f
  2.   SOURCES
  3.   0016-Set-mode-of-etc-ipa-ca.crt-to-0644-in-CA-less-instal_rhbz#1870202.patch
Blob History Raw
5144c6 
From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001
5144c6 
From: Rob Crittenden <rcritten@redhat.com>
5144c6 
Date: Tue, 4 Aug 2020 15:09:56 -0400
5144c6 
Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations
5144c6
5144c6 
It was previously being set to 0444 which triggered a warning
5144c6 
in freeipa-healthcheck.
5144c6
5144c6 
Even root needs DAC_OVERRIDE capability to write to a 0o444 file
5144c6 
which may not be available in some environments.
5144c6
5144c6 
https://pagure.io/freeipa/issue/8441
5144c6
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
---
5144c6 
 ipaserver/install/certs.py          | 2 +-
5144c6 
 ipaserver/install/server/install.py | 5 ++---
5144c6 
 2 files changed, 3 insertions(+), 4 deletions(-)
5144c6
5144c6 
diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
5144c6 
index 22ee79bd1..51d9f9221 100644
5144c6 
--- a/ipaserver/install/certs.py
5144c6 
+++ b/ipaserver/install/certs.py
5144c6 
@@ -329,7 +329,7 @@ class CertDB:
5144c6 
         ipautil.backup_file(cacert_fname)
5144c6 
         root_nicknames = self.find_root_cert(nickname)[:-1]
5144c6 
         with open(cacert_fname, "w") as f:
5144c6 
-            os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH)
5144c6 
+            os.fchmod(f.fileno(), 0o644)
5144c6 
             for root in root_nicknames:
5144c6 
                 result = self.run_certutil(["-L", "-n", root, "-a"],
5144c6 
                                            capture_output=True)
5144c6 
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
5144c6 
index b53c58e2a..6a593602f 100644
5144c6 
--- a/ipaserver/install/server/install.py
5144c6 
+++ b/ipaserver/install/server/install.py
5144c6 
@@ -891,9 +891,8 @@ def install(installer):
5144c6
5144c6 
         ca.install_step_0(False, None, options, custodia=custodia)
5144c6 
     else:
5144c6 
-        # Put the CA cert where other instances expect it
5144c6 
-        x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT)
5144c6 
-        os.chmod(paths.IPA_CA_CRT, 0o444)
5144c6 
+        # /etc/ipa/ca.crt is created as a side-effect of
5144c6 
+        # dsinstance::enable_ssl() via export_ca_cert()
5144c6
5144c6 
         if not options.no_pkinit:
5144c6 
             x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM)
5144c6 
--
5144c6 
2.26.2
5144c6
5144c6 
From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001
5144c6 
From: Rob Crittenden <rcritten@redhat.com>
5144c6 
Date: Tue, 4 Aug 2020 15:12:20 -0400
5144c6 
Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new
5144c6 
 installations
5144c6
5144c6 
It should be 0644 root:root for both CA-ful and CA-less installs.
5144c6
5144c6 
https://pagure.io/freeipa/issue/8441
5144c6
5144c6 
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
5144c6 
---
5144c6 
 ipatests/test_integration/test_caless.py       |  8 ++++++++
5144c6 
 ipatests/test_integration/test_installation.py | 10 ++++++++++
5144c6 
 2 files changed, 18 insertions(+)
5144c6
5144c6 
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
5144c6 
index 1ea7d9896..16dfbb320 100644
5144c6 
--- a/ipatests/test_integration/test_caless.py
5144c6 
+++ b/ipatests/test_integration/test_caless.py
5144c6 
@@ -394,6 +394,14 @@ class CALessBase(IntegrationTest):
5144c6 
                          host, cert_from_ldap.public_bytes(x509.Encoding.PEM))
5144c6 
             assert cert_from_ldap == expected_cacrt
5144c6
5144c6 
+            result = host.run_command(
5144c6 
+                ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
5144c6 
+            )
5144c6 
+            (owner, group, mode) = result.stdout_text.strip().split(':')
5144c6 
+            assert owner == "root"
5144c6 
+            assert group == "root"
5144c6 
+            assert mode == "644"
5144c6 
+
5144c6 
             # Verify certmonger was not started
5144c6 
             result = host.run_command(['getcert', 'list'], raiseonerr=False)
5144c6 
             assert result.returncode == 0
5144c6 
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
5144c6 
index 100a5a766..fb1990083 100644
5144c6 
--- a/ipatests/test_integration/test_installation.py
5144c6 
+++ b/ipatests/test_integration/test_installation.py
5144c6 
@@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest):
5144c6 
         status = tasks.wait_for_request(self.master, request_id[0], 300)
5144c6 
         assert status == "MONITORING"
5144c6
5144c6 
+    def test_ipa_ca_crt_permissions(self):
5144c6 
+        """Verify that /etc/ipa/ca.cert is mode 0644 root:root"""
5144c6 
+        result = self.master.run_command(
5144c6 
+            ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT]
5144c6 
+        )
5144c6 
+        out = str(result.stdout_text.strip())
5144c6 
+        (owner, group, mode) = out.split(':')
5144c6 
+        assert mode == "644"
5144c6 
+        assert owner == "root"
5144c6 
+        assert group == "root"
5144c6
5144c6 
 class TestInstallWithCA_KRA1(InstallTestBase1):
5144c6
5144c6 
--
5144c6 
2.26.2
5144c6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation