[Engine-patches] Change in ovirt-engine[master]: pki: enforce lock file permissions same as ca private key

Wed, 12 Mar 2014 03:45:13 -0700 

Yedidyah Bar David has posted comments on this change.

Change subject: pki: enforce lock file permissions same as ca private key
......................................................................


Patch Set 7:

(2 comments)

http://gerrit.ovirt.org/#/c/25629/7/packaging/bin/pki-enroll-request.sh
File packaging/bin/pki-enroll-request.sh:

Line 88: # cannot use TMPDIR as we want the
Line 89: # same file at any environment
Line 90: # path must be local as remote filesystems
Line 91: # do not [always] support flock.
Line 92: LOCKFILE="/tmp/ovirt-engine-pki-v2.lock"
Maybe all of this can be simpler if we do that inside a private directory 
/tmp/ovirt-engine-pki-lock? mkdir has -m and is atomic.
Line 93: LOCKFILE_REF="${PKIDIR}/private/ca.pem"
Line 94: 
Line 95: if [ -e "${LOCKFILE}" ]; then
Line 96:        if [ "$(stat --printf "%F-%u-%g-%a\n" "${LOCKFILE}" 
"${LOCKFILE_REF}" 2>&1 | uniq | wc -l)" != 1 ]; then


Line 117:               trap cleanup 0
Line 118:               LOCKTMP="$(mktemp --tmpdir="$(dirname "${LOCKFILE}")")" 
|| die "Cannot create temp lock file"
Line 119:               chown --reference="${LOCKFILE_REF}" "${LOCKTMP}" || die 
"Cannot set ownership of lockfile '${LOCKTMP}'"
Line 120:               chmod --reference="${LOCKFILE_REF}" "${LOCKTMP}" || die 
"Cannot set permissions of lockfile '${LOCKTMP}'"
Line 121:               mv "${LOCKTMP}" "${LOCKFILE}" || die "Cannot create 
lockfile '${LOCKFILE}'"
There is still a race condition here - someone could create LOCKFILE between 
your checks and this mv.
Line 122:               LOCKTMP=
Line 123:       ) || exit $?
Line 124: fi
Line 125: 


-- 
To view, visit http://gerrit.ovirt.org/25629
To unsubscribe, visit http://gerrit.ovirt.org/settings

Gerrit-MessageType: comment
Gerrit-Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c
Gerrit-PatchSet: 7
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Alon Bar-Lev <[email protected]>
Gerrit-Reviewer: Sandro Bonazzola <[email protected]>
Gerrit-Reviewer: Yedidyah Bar David <[email protected]>
Gerrit-Reviewer: [email protected]
Gerrit-HasComments: Yes
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches

Reply via email to