e0ab38
From 7d7bb4789504a3f84e8ccf52abc06e8de109289a Mon Sep 17 00:00:00 2001
e0ab38
From: Martin Basti <mbasti@redhat.com>
e0ab38
Date: Wed, 9 Dec 2015 13:40:04 +0100
e0ab38
Subject: [PATCH] Explicitly call chmod on newly created directories
e0ab38
e0ab38
Without calling os.chmod(), umask is effective and may cause that
e0ab38
directory is created with permission that causes failure.
e0ab38
e0ab38
This can be related to https://fedorahosted.org/freeipa/ticket/5520
e0ab38
e0ab38
Reviewed-By: Tomas Babej <tbabej@redhat.com>
e0ab38
---
e0ab38
 ipaplatform/base/services.py             |  2 +-
e0ab38
 ipaserver/install/cainstance.py          |  1 +
e0ab38
 ipaserver/install/ipa_backup.py          |  7 ++++---
e0ab38
 ipaserver/install/ipa_replica_prepare.py |  3 ++-
e0ab38
 ipaserver/install/ipa_restore.py         | 10 ++++++----
e0ab38
 5 files changed, 14 insertions(+), 9 deletions(-)
e0ab38
e0ab38
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
e0ab38
index 56e959e919e42281431240451071a2d4b8048e4a..b068a2f3b00549fffa20feffb6a3158382fc7e9a 100644
e0ab38
--- a/ipaplatform/base/services.py
e0ab38
+++ b/ipaplatform/base/services.py
e0ab38
@@ -421,7 +421,7 @@ class SystemdService(PlatformService):
e0ab38
 
e0ab38
             try:
e0ab38
                 if not ipautil.dir_exists(srv_tgt):
e0ab38
-                    os.mkdir(srv_tgt)
e0ab38
+                    os.mkdir(srv_tgt, 0755)
e0ab38
                 if os.path.exists(srv_lnk):
e0ab38
                     # Remove old link
e0ab38
                     os.unlink(srv_lnk)
e0ab38
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
e0ab38
index c20bf39c12cff0777d90efad2b0d8d136ee37ec9..d9bf4f31af5a922dd6f977a5011f50ce7cea8896 100644
e0ab38
--- a/ipaserver/install/cainstance.py
e0ab38
+++ b/ipaserver/install/cainstance.py
e0ab38
@@ -978,6 +978,7 @@ class CAInstance(DogtagInstance):
e0ab38
 
e0ab38
         if not ipautil.dir_exists(self.ra_agent_db):
e0ab38
             os.mkdir(self.ra_agent_db)
e0ab38
+            os.chmod(self.ra_agent_db, 0755)
e0ab38
 
e0ab38
         # Create the password file for this db
e0ab38
         hex_str = binascii.hexlify(os.urandom(10))
e0ab38
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
e0ab38
index 3bd2ef0203c1b5b596e092987acd894491ecae26..a5a4bef0a17f641fcea565d9a79c3e6887a064a7 100644
e0ab38
--- a/ipaserver/install/ipa_backup.py
e0ab38
+++ b/ipaserver/install/ipa_backup.py
e0ab38
@@ -279,8 +279,8 @@ class Backup(admintool.AdminTool):
e0ab38
         os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
e0ab38
         os.chmod(self.top_dir, 0750)
e0ab38
         self.dir = os.path.join(self.top_dir, "ipa")
e0ab38
-        os.mkdir(self.dir, 0750)
e0ab38
-
e0ab38
+        os.mkdir(self.dir)
e0ab38
+        os.chmod(self.dir, 0750)
e0ab38
         os.chown(self.dir, pent.pw_uid, pent.pw_gid)
e0ab38
 
e0ab38
         self.header = os.path.join(self.top_dir, 'header')
e0ab38
@@ -605,7 +605,8 @@ class Backup(admintool.AdminTool):
e0ab38
             backup_dir = os.path.join(paths.IPA_BACKUP_DIR, time.strftime('ipa-full-%Y-%m-%d-%H-%M-%S'))
e0ab38
             filename = os.path.join(backup_dir, "ipa-full.tar")
e0ab38
 
e0ab38
-        os.mkdir(backup_dir, 0700)
e0ab38
+        os.mkdir(backup_dir)
e0ab38
+        os.chmod(backup_dir, 0700)
e0ab38
 
e0ab38
         cwd = os.getcwd()
e0ab38
         os.chdir(self.dir)
e0ab38
diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
e0ab38
index 5246f5f5469c85571d04c99d872f38018802abaa..b9ae60e9bc9d40be5f86e312980846b2ad80f67d 100644
e0ab38
--- a/ipaserver/install/ipa_replica_prepare.py
e0ab38
+++ b/ipaserver/install/ipa_replica_prepare.py
e0ab38
@@ -345,7 +345,8 @@ class ReplicaPrepare(admintool.AdminTool):
e0ab38
 
e0ab38
         self.top_dir = tempfile.mkdtemp("ipa")
e0ab38
         self.dir = os.path.join(self.top_dir, "realm_info")
e0ab38
-        os.mkdir(self.dir, 0700)
e0ab38
+        os.mkdir(self.dir)
e0ab38
+        os.chmod(self.dir, 0700)
e0ab38
         try:
e0ab38
             self.copy_ds_certificate()
e0ab38
 
e0ab38
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
e0ab38
index 57d5deb1e68af6e9ceb51f4dd751b8a59d9ac513..cdc460301ad8aeb658fec18da565238a376d1c0c 100644
e0ab38
--- a/ipaserver/install/ipa_restore.py
e0ab38
+++ b/ipaserver/install/ipa_restore.py
e0ab38
@@ -300,8 +300,8 @@ class Restore(admintool.AdminTool):
e0ab38
         os.chown(self.top_dir, pent.pw_uid, pent.pw_gid)
e0ab38
         os.chmod(self.top_dir, 0750)
e0ab38
         self.dir = os.path.join(self.top_dir, "ipa")
e0ab38
-        os.mkdir(self.dir, 0750)
e0ab38
-
e0ab38
+        os.mkdir(self.dir)
e0ab38
+        os.chmod(self.dir, 0750)
e0ab38
         os.chown(self.dir, pent.pw_uid, pent.pw_gid)
e0ab38
 
e0ab38
         cwd = os.getcwd()
e0ab38
@@ -527,7 +527,8 @@ class Restore(admintool.AdminTool):
e0ab38
 
e0ab38
         if not os.path.exists(ldifdir):
e0ab38
             pent = pwd.getpwnam(DS_USER)
e0ab38
-            os.mkdir(ldifdir, 0770)
e0ab38
+            os.mkdir(ldifdir)
e0ab38
+            os.chmod(ldifdir, 0770)
e0ab38
             os.chown(ldifdir, pent.pw_uid, pent.pw_gid)
e0ab38
 
e0ab38
         ipautil.backup_file(ldiffile)
e0ab38
@@ -804,7 +805,8 @@ class Restore(admintool.AdminTool):
e0ab38
         for dir in dirs:
e0ab38
             try:
e0ab38
                 self.log.debug('Creating %s' % dir)
e0ab38
-                os.mkdir(dir, 0770)
e0ab38
+                os.mkdir(dir)
e0ab38
+                os.chmod(dir, 0770)
e0ab38
                 os.chown(dir, pent.pw_uid, pent.pw_gid)
e0ab38
                 tasks.restore_context(dir)
e0ab38
             except Exception, e:
e0ab38
-- 
e0ab38
2.4.3
e0ab38