From 4a97145c3a76a4d9ebf52b3905410a0bd7bec856 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 4 Aug 2020 15:09:56 -0400 Subject: [PATCH] Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations It was previously being set to 0444 which triggered a warning in freeipa-healthcheck. Even root needs DAC_OVERRIDE capability to write to a 0o444 file which may not be available in some environments. https://pagure.io/freeipa/issue/8441 Reviewed-By: Alexander Bokovoy --- ipaserver/install/certs.py | 2 +- ipaserver/install/server/install.py | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py index 22ee79bd1..51d9f9221 100644 --- a/ipaserver/install/certs.py +++ b/ipaserver/install/certs.py @@ -329,7 +329,7 @@ class CertDB: ipautil.backup_file(cacert_fname) root_nicknames = self.find_root_cert(nickname)[:-1] with open(cacert_fname, "w") as f: - os.fchmod(f.fileno(), stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH) + os.fchmod(f.fileno(), 0o644) for root in root_nicknames: result = self.run_certutil(["-L", "-n", root, "-a"], capture_output=True) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b53c58e2a..6a593602f 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -891,9 +891,8 @@ def install(installer): ca.install_step_0(False, None, options, custodia=custodia) else: - # Put the CA cert where other instances expect it - x509.write_certificate(http_ca_cert, paths.IPA_CA_CRT) - os.chmod(paths.IPA_CA_CRT, 0o444) + # /etc/ipa/ca.crt is created as a side-effect of + # dsinstance::enable_ssl() via export_ca_cert() if not options.no_pkinit: x509.write_certificate(http_ca_cert, paths.KDC_CA_BUNDLE_PEM) -- 2.26.2 From da2079ce2cc841aec56da872131112eb24326f81 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 4 Aug 2020 15:12:20 -0400 Subject: [PATCH] ipatests: Check permissions of /etc/ipa/ca.crt new installations It should be 0644 root:root for both CA-ful and CA-less installs. https://pagure.io/freeipa/issue/8441 Reviewed-By: Alexander Bokovoy --- ipatests/test_integration/test_caless.py | 8 ++++++++ ipatests/test_integration/test_installation.py | 10 ++++++++++ 2 files changed, 18 insertions(+) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 1ea7d9896..16dfbb320 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -394,6 +394,14 @@ class CALessBase(IntegrationTest): host, cert_from_ldap.public_bytes(x509.Encoding.PEM)) assert cert_from_ldap == expected_cacrt + result = host.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + (owner, group, mode) = result.stdout_text.strip().split(':') + assert owner == "root" + assert group == "root" + assert mode == "644" + # Verify certmonger was not started result = host.run_command(['getcert', 'list'], raiseonerr=False) assert result.returncode == 0 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py index 100a5a766..fb1990083 100644 --- a/ipatests/test_integration/test_installation.py +++ b/ipatests/test_integration/test_installation.py @@ -346,6 +346,16 @@ class TestInstallCA(IntegrationTest): status = tasks.wait_for_request(self.master, request_id[0], 300) assert status == "MONITORING" + def test_ipa_ca_crt_permissions(self): + """Verify that /etc/ipa/ca.cert is mode 0644 root:root""" + result = self.master.run_command( + ["/usr/bin/stat", "-c", "%U:%G:%a", paths.IPA_CA_CRT] + ) + out = str(result.stdout_text.strip()) + (owner, group, mode) = out.split(':') + assert mode == "644" + assert owner == "root" + assert group == "root" class TestInstallWithCA_KRA1(InstallTestBase1): -- 2.26.2