network permissions in ipa-client-install

Alexander Bokovoy Wed, 10 Aug 2011 05:17:23 -0700

On 10.08.2011 14:57, Alexander Bokovoy wrote:
> Ensure network configuration file has proper permissions
> 
> As network configuration file is created as temporary file, it has
> stricter permissions than we need for the target system configuration
> file. Ensure permissions are properly reset before installing file.
> 
> If permissions are not reset, system may have no networking enabled
> after reboot.
One more fix: relabel SELinux label after copying file.
-- 
/ Alexander Bokovoy

From 3cdc4a2eaa6691be4660cb1239ca271cd620ecf5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <aboko...@redhat.com>
Date: Wed, 10 Aug 2011 15:15:01 +0300
Subject: [PATCH] Ensure network configuration file has proper permissions


As network configuration file is created as temporary file, it has stricter 
permissions than
we need for the target system configuration file. Ensure permissions are 
properly reset before
installing file.

If permissions are not re-set, system may have no networking enabled after 
reboot.
---
 ipa-client/ipa-install/ipa-client-install |   10 ++++++++++
 1 files changed, 10 insertions(+), 0 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install 
b/ipa-client/ipa-install/ipa-client-install
index 
e3b9dfbab5975aade08ee36e98fc9a048df76784..1caf9c1ee4d0c30d1267f5bc028291a56f02e7c8
 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -23,6 +23,7 @@ try:
     import sys
 
     import os
+    import stat
     import time
     import socket
     import logging
@@ -564,6 +565,9 @@ $)''', re.VERBOSE)
                             statestore.backup_state('network', 'hostname', 
value)
                 new_config.write(new_line)
         new_config.flush()
+        # Make sure the resulting file is readable by others before installing 
it
+        os.fchmod(new_config.fileno(), stat.S_IRUSR | stat.S_IWUSR | 
stat.S_IRGRP | stat.S_IROTH)
+        os.fchown(new_config.fileno(), 0, 0)
 
     # At this point new_config is closed but not removed due to 'delete=False' 
above
     # Now, install the temporary file as configuration and ensure old version 
is available as .orig
@@ -574,6 +578,12 @@ $)''', re.VERBOSE)
     except CalledProcessError, e:
         print >>sys.stderr, "Failed to set this machine hostname to %s (%s)." 
% (hostname, str(e))
 
+    # For SE Linux environments it is important to reset SE labels to the 
expected ones
+    try:
+        ipautil.run(['/sbin/restorecon', network_filename])
+    except CalledProcessError, e:
+        print >>sys.stderr, "Failed to set permissions for %s (%s)." % 
(network_filename, str(e))
+
 def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options):
     sssdconfig = SSSDConfig.SSSDConfig()
     sssdconfig.new_config()
-- 
1.7.6

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0010 fix /etc/sysconfig/network permissions in ipa-client-install

Reply via email to