rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0045-Fix-permission-of-public-files-in-upgrader.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   95ea9608892490ded4aa5b0e06c681f1fb3b7f7b
  2.   SOURCES
  3.   0045-Fix-permission-of-public-files-in-upgrader.patch
Blob History Raw
95ea96 
From 19bfd7c36d6d087f0cd7def5eb4d8850c395fb4b Mon Sep 17 00:00:00 2001
95ea96 
From: Christian Heimes <cheimes@redhat.com>
95ea96 
Date: Fri, 22 Jun 2018 12:53:19 +0200
95ea96 
Subject: [PATCH] Fix permission of public files in upgrader
95ea96
95ea96 
Make CA bundles, certs, and cert directories world-accessible in
95ea96 
upgrader.
95ea96
95ea96 
Fixes: https://pagure.io/freeipa/issue/7594
95ea96 
Signed-off-by: Christian Heimes <cheimes@redhat.com>
95ea96 
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
95ea96 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
95ea96 
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
95ea96 
---
95ea96 
 ipaserver/install/server/upgrade.py | 31 +++++++++++++++++++++++++++++
95ea96 
 1 file changed, 31 insertions(+)
95ea96
95ea96 
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
95ea96 
index 4e5096e598cd10e3bd98f91946b4d26377d0de6e..7faaacd5d2f0c39bcf744c288b283009ccb3ead5 100644
95ea96 
--- a/ipaserver/install/server/upgrade.py
95ea96 
+++ b/ipaserver/install/server/upgrade.py
95ea96 
@@ -4,12 +4,14 @@
95ea96
95ea96 
 from __future__ import print_function, absolute_import
95ea96
95ea96 
+import errno
95ea96 
 import logging
95ea96 
 import re
95ea96 
 import os
95ea96 
 import shutil
95ea96 
 import pwd
95ea96 
 import fileinput
95ea96 
+import stat
95ea96 
 import sys
95ea96 
 import tempfile
95ea96 
 from contextlib import contextmanager
95ea96 
@@ -1656,6 +1658,34 @@ def update_replica_config(db_suffix):
95ea96 
         logger.info("Updated entry %s", dn)
95ea96
95ea96
95ea96 
+def fix_permissions():
95ea96 
+    """Fix permission of public accessible files and directories
95ea96 
+
95ea96 
+    In case IPA was installed with restricted umask, some public files and
95ea96 
+    directories may not be readable and accessible.
95ea96 
+
95ea96 
+    See https://pagure.io/freeipa/issue/7594
95ea96 
+    """
95ea96 
+    candidates = [
95ea96 
+        paths.HTTPD_ALIAS_DIR,
95ea96 
+        paths.CA_BUNDLE_PEM,
95ea96 
+        paths.KDC_CA_BUNDLE_PEM,
95ea96 
+        paths.IPA_CA_CRT,
95ea96 
+        paths.IPA_P11_KIT,
95ea96 
+    ]
95ea96 
+    for filename in candidates:
95ea96 
+        try:
95ea96 
+            s = os.stat(filename)
95ea96 
+        except OSError as e:
95ea96 
+            if e.errno != errno.ENOENT:
95ea96 
+                raise
95ea96 
+            continue
95ea96 
+        mode = 0o755 if stat.S_ISDIR(s.st_mode) else 0o644
95ea96 
+        if mode != stat.S_IMODE(s.st_mode):
95ea96 
+            logger.debug("Fix permission of %s to %o", filename, mode)
95ea96 
+            os.chmod(filename, mode)
95ea96 
+
95ea96 
+
95ea96 
 def upgrade_configuration():
95ea96 
     """
95ea96 
     Execute configuration upgrade of the IPA services
95ea96 
@@ -1677,6 +1707,7 @@ def upgrade_configuration():
95ea96 
         ds.start(ds_serverid)
95ea96
95ea96 
     check_certs()
95ea96 
+    fix_permissions()
95ea96
95ea96 
     auto_redirect = find_autoredirect(fqdn)
95ea96 
     sub_dict = dict(
95ea96 
--
95ea96 
2.17.1
95ea96

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation