URL: https://github.com/freeipa/freeipa/pull/3031
Author: fcami
Title: #3031: ipaserver/install/krainstance.py: chown after write
Action: opened
PR body:
"""
MANUAL BACKPORT with temp commit.
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.
Refactoring suggested by Christian Heimes.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/3031/head:pr3031
git checkout pr3031
From 6d4546b613e704fb018f5942faf3090916dcc195 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com>
Date: Wed, 10 Apr 2019 10:12:07 +0200
Subject: [PATCH 1/2] ipaserver/install/krainstance.py: chown after write
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When fs.protected_regular=1 root cannot open temp files that
are owned by other users read-write.
So move os.chown after write.
Refactoring suggested by Christian Heimes.
Fixes: https://pagure.io/freeipa/issue/7906
Signed-off-by: François Cami <fc...@redhat.com>
---
ipaserver/install/krainstance.py | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py
index 56135dd4aa..3b44651819 100644
--- a/ipaserver/install/krainstance.py
+++ b/ipaserver/install/krainstance.py
@@ -150,11 +150,6 @@ def __spawn_instance(self):
parameters and passes it to the base class to call pkispawn
"""
- # Create an empty and secured file
- (cfg_fd, cfg_file) = tempfile.mkstemp()
- os.close(cfg_fd)
- pent = pwd.getpwnam(self.service_user)
- os.chown(cfg_file, pent.pw_uid, pent.pw_gid)
self.tmp_agent_db = tempfile.mkdtemp(
prefix="tmp-", dir=paths.VAR_LIB_IPA)
tmp_agent_pwd = ipautil.ipa_generate_password()
@@ -289,8 +284,11 @@ def __spawn_instance(self):
)
# Generate configuration file
- with open(cfg_file, "w") as f:
+ pent = pwd.getpwnam(self.service_user)
+ with tempfile.NamedTemporaryFile('w', delete=False) as f:
config.write(f)
+ os.fchown(f.fileno(), pent.pw_uid, pent.pw_gid)
+ cfg_file = f.name
try:
DogtagInstance.spawn_instance(
From 2b52dd658caef053eaed4ff25eee0210a7805a48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fc...@redhat.com>
Date: Thu, 11 Apr 2019 11:00:31 +0200
Subject: [PATCH 2/2] add temp commit - remove before merge
---
.freeipa-pr-ci.yaml | 2 +-
ipatests/prci_definitions/temp_commit.yaml | 8 ++++----
2 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b63..8065669008 120000
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index d5c2b59ae7..f001181334 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -45,14 +45,14 @@ jobs:
timeout: 1800
topology: *build
- fedora-29/temp_commit:
+ fedora-29/test_vault:
requires: [fedora-29/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-29/build_url}'
- test_suite: test_integration/test_REPLACEME.py
+ test_suite: test_integration/test_vault.py
template: *ci-master-f29
- timeout: 3600
- topology: *master_1repl_1client
+ timeout: 6300
+ topology: *master_1repl
_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
