From 9bb9255161eef8da54842c0a6aeb1ddb0b20c0df Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 22 Jun 2018 12:25:33 +0200
Subject: [PATCH] Make /etc/httpd/alias world readable & executable

The directory /etc/httpd/alias contains public key material. It must be
world readable and executable, so any client can read public certs.

Note: executable for a directory means, that a process is allowed to
traverse into the directory.

Fixes: https://pagure.io/freeipa/issue/7594
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/httpinstance.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 05b88998353597aebc39b6dad5e1a688dca84f49..3f8b18c4e8412c1767b6ad541da18d8b30ad59f7 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -217,6 +217,9 @@ class HTTPInstance(service.Service):
         self.update_httpd_service_ipa_conf()
         self.update_httpd_wsgi_conf()
 
+        # Must be world-readable / executable
+        os.chmod(paths.HTTPD_ALIAS_DIR, 0o755)
+
         target_fname = paths.HTTPD_IPA_CONF
         http_txt = ipautil.template_file(
             os.path.join(paths.USR_SHARE_IPA_DIR, "ipa.conf"), self.sub_dict)
-- 
2.17.1