95ea96
From 9bb9255161eef8da54842c0a6aeb1ddb0b20c0df Mon Sep 17 00:00:00 2001
95ea96
From: Christian Heimes <cheimes@redhat.com>
95ea96
Date: Fri, 22 Jun 2018 12:25:33 +0200
95ea96
Subject: [PATCH] Make /etc/httpd/alias world readable & executable
95ea96
95ea96
The directory /etc/httpd/alias contains public key material. It must be
95ea96
world readable and executable, so any client can read public certs.
95ea96
95ea96
Note: executable for a directory means, that a process is allowed to
95ea96
traverse into the directory.
95ea96
95ea96
Fixes: https://pagure.io/freeipa/issue/7594
95ea96
Signed-off-by: Christian Heimes <cheimes@redhat.com>
95ea96
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
95ea96
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
95ea96
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
95ea96
---
95ea96
 ipaserver/install/httpinstance.py | 3 +++
95ea96
 1 file changed, 3 insertions(+)
95ea96
95ea96
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
95ea96
index 05b88998353597aebc39b6dad5e1a688dca84f49..3f8b18c4e8412c1767b6ad541da18d8b30ad59f7 100644
95ea96
--- a/ipaserver/install/httpinstance.py
95ea96
+++ b/ipaserver/install/httpinstance.py
95ea96
@@ -217,6 +217,9 @@ class HTTPInstance(service.Service):
95ea96
         self.update_httpd_service_ipa_conf()
95ea96
         self.update_httpd_wsgi_conf()
95ea96
 
95ea96
+        # Must be world-readable / executable
95ea96
+        os.chmod(paths.HTTPD_ALIAS_DIR, 0o755)
95ea96
+
95ea96
         target_fname = paths.HTTPD_IPA_CONF
95ea96
         http_txt = ipautil.template_file(
95ea96
             os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict)
95ea96
-- 
95ea96
2.17.1
95ea96