From 52855f472ea918534d50743af4a2b512661fdd95 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 3 Aug 2020 18:52:07 +0200
Subject: [PATCH] CAless installation: set the perms on KDC cert file

In CA less installation, the KDC certificate file does not have
the expected 644 permissions. As a consequence, WebUI login
fails.

The fix makes sure that the KDC cert file is saved with 644 perms.

Fixes: https://pagure.io/freeipa/issue/8440
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
 ipaserver/install/krbinstance.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
index a666c0918afad81e35f49387ffc32cde60484c5d..3aede9016eb6de38d43a84cb6997cb69987c4eb2 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -527,6 +527,8 @@ class KrbInstance(service.Service):
         certs.install_pem_from_p12(self.pkcs12_info[0],
                                    self.pkcs12_info[1],
                                    paths.KDC_CERT)
+        # The KDC cert needs to be readable by everyone
+        os.chmod(paths.KDC_CERT, 0o644)
         certs.install_key_from_p12(self.pkcs12_info[0],
                                    self.pkcs12_info[1],
                                    paths.KDC_KEY)
-- 
2.26.2