Alon Bar-Lev has uploaded a new change for review. Change subject: pki: enforce lock file permissions same as ca private key ......................................................................
pki: enforce lock file permissions same as ca private key Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1075209 Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c Signed-off-by: Alon Bar-Lev <[email protected]> --- M packaging/bin/pki-enroll-request.sh 1 file changed, 30 insertions(+), 9 deletions(-) git pull ssh://gerrit.ovirt.org:29418/ovirt-engine refs/changes/44/26044/1 diff --git a/packaging/bin/pki-enroll-request.sh b/packaging/bin/pki-enroll-request.sh index 47bc8fa..5fcad49 100755 --- a/packaging/bin/pki-enroll-request.sh +++ b/packaging/bin/pki-enroll-request.sh @@ -89,22 +89,43 @@ # same file at any environment # path must be local as remote filesystems # do not [always] support flock. -LOCKFILE="/tmp/ovirt-engine-pki.lock" +LOCK="/tmp/ovirt-engine-pki.v2.lock" +LOCK_REF="${PKIDIR}/private" -# create lock file if not already exists -# make sure it is world readable so we can -# lock file by any user. -if ! [ -f "${LOCKFILE}" ]; then - touch "${LOCKFILE}" || die "Cannot create lockfile '${LOCKFILE}'" - chmod a+r "${LOCKFILE}" -fi +lock_is_ok() { + [ -e "${LOCK}" ] || return 1 + [ "$(stat --printf "%F-%u-%g-%a\n" "${LOCK}" "${LOCK_REF}" 2>&1 | uniq | wc -l)" = 1 ] || return 1 + return 0 +} + +retries=5 +while ! lock_is_ok; do + retries="$(($retries - 1))" + [ "${retries}" -eq 0 ] && die "Cannot establish lock '${LOCK}'" + + # + # Random sleep so multiple instances + # will wakeup at different times. + # + sleep "$(($$ % 5))" + + if ! lock_is_ok; then + rm -fr "${LOCK}" + [ -e "${LOCK}" -o -L "${LOCK}" ] && die "Cannot remove '${LOCK}' please remove manually" + + if mkdir -m 700 "${LOCK}"; then + chown -R --reference="${LOCK_REF}" "${LOCK}" || die "Cannot set ownership of lock '${LOCK}'" + chmod -R --reference="${LOCK_REF}" "${LOCK}" || die "Cannot set permissions of lock '${LOCK}'" + fi + fi +done # Wait for lock on fd 9 ( flock -e -w "${TIMEOUT}" 9 || die "Timeout waiting for lock. Giving up" cd "${PKIDIR}" sign "${NAME}" "${SUBJECT}" "${DAYS}" -) 9< "${LOCKFILE}" +) 9< "${LOCK}" result=$? exit $result -- To view, visit http://gerrit.ovirt.org/26044 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: newchange Gerrit-Change-Id: I89d1bee3c7fff1bae2ee555d556e35171bef612c Gerrit-PatchSet: 1 Gerrit-Project: ovirt-engine Gerrit-Branch: ovirt-engine-3.4 Gerrit-Owner: Alon Bar-Lev <[email protected]> _______________________________________________ Engine-patches mailing list [email protected] http://lists.ovirt.org/mailman/listinfo/engine-patches
