Alon Bar-Lev has posted comments on this change. Change subject: pki: enforce lock file permissions same as ca private key ......................................................................
Patch Set 7: (1 comment) http://gerrit.ovirt.org/#/c/25629/7/packaging/bin/pki-enroll-request.sh File packaging/bin/pki-enroll-request.sh: Line 117: trap cleanup 0 Line 118: LOCKTMP="$(mktemp --tmpdir="$(dirname "${LOCKFILE}")")" || die "Cannot create temp lock file" Line 119: chown --reference="${LOCKFILE_REF}" "${LOCKTMP}" || die "Cannot set ownership of lockfile '${LOCKTMP}'" Line 120: chmod --reference="${LOCKFILE_REF}" "${LOCKTMP}" || die "Cannot set permissions of lockfile '${LOCKTMP}'" Line 121: mv "${LOCKTMP}" "${LOCKFILE}" || die "Cannot create lockfile '${LOCKFILE}'" > There is still a race condition here - someone could create LOCKFILE betwee so mv will fail if wrong ownership of destination or succeed and lock is ok. this change does not handle DoS, it just avoid engine being stack at waiting forever for lock. now that I am thinking about this, this change is not required as engine sets timeout anyway. this complexity just makes less trivial to lock the engine out. I tend to close it as wontfix or apply this as-is. Line 122: LOCKTMP= Line 123: ) || exit $? Line 124: fi Line 125: -- To view, visit http://gerrit.ovirt.org/25629 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c Gerrit-PatchSet: 7 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Alon Bar-Lev <[email protected]> Gerrit-Reviewer: Sandro Bonazzola <[email protected]> Gerrit-Reviewer: Yedidyah Bar David <[email protected]> Gerrit-Reviewer: [email protected] Gerrit-HasComments: Yes _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
